Back to skill

Security audit

OpenClaw confluence

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate but powerful Confluence API helper that can change or delete Confluence data and store tokens locally, so it should be used with care.

Install only if you intend to give an agent broad Confluence access under your credentials, including creating, updating, deleting, inviting users, redacting content, and using admin-key capabilities. Prefer least-privilege OAuth scopes or tokens, keep any .env file out of source control with restrictive permissions, and require explicit human review before destructive or administrative commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (13)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The `/admin-key` enable/disable operations expose a high-privilege bypass mechanism that can override normal page access restrictions for admins. In an agent-mediated workflow, enabling an admin key increases the blast radius of prompt misuse or confused-deputy behavior because subsequent API calls may access restricted content the user did not intend the agent to handle.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The `/admin-key` enable/disable operations expose a high-privilege bypass mechanism that can override normal page access restrictions for admins. In an agent-mediated workflow, enabling an admin key increases the blast radius of prompt misuse or confused-deputy behavior because subsequent API calls may access restricted content the user did not intend the agent to handle.

Context-Inappropriate Capability

High
Confidence
93% confidence
Finding
The `/admin-key` enable/disable operations expose a high-privilege bypass mechanism that can override normal page access restrictions for admins. In an agent-mediated workflow, enabling an admin key increases the blast radius of prompt misuse or confused-deputy behavior because subsequent API calls may access restricted content the user did not intend the agent to handle.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
This script exposes direct management of an `/admin-key` endpoint with get, create, and delete operations, which is an administrative capability not reflected in the stated Confluence content/API scope. Hidden or undeclared privileged functionality increases the risk of unauthorized key creation, retrieval, or removal, and in a skill context can enable privilege escalation or compromise of broader connected systems if invoked by users or downstream tooling.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
This script exposes a content-modifying redaction operation that is not described in the stated skill surface, which creates a hidden capability users or reviewers may not expect. Undocumented destructive functionality increases the chance of misuse, accidental invocation, and bypass of normal review or consent expectations, especially in a skill that operates against live Confluence content.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation instructs users to place Confluence credentials in environment variables or a local config file but gives no warning about secure storage, shell history leakage, accidental commits, or plaintext config exposure. Because this skill is specifically designed to access a large SaaS knowledge base, mishandled tokens could grant broad read/write access to sensitive enterprise content.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The delete command performs an irreversible remote deletion immediately based on CLI arguments, with no confirmation prompt, dry-run mode, or safeguard against accidental invocation. In a script that directly targets a live Confluence API, this increases the risk of unintended content loss from operator error or unsafe automation.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script exposes a destructive `delete` command that immediately issues a DELETE request for a database ID with no confirmation prompt, dry-run mode, or friction to prevent accidental invocation. In a CLI skill that operates against live Confluence Cloud resources, this increases the risk of unintended data loss from user error, scripting mistakes, or misuse in automation.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script extracts existing Confluence credentials and writes them directly into a project-local .env file without warning the user, checking file permissions, or ensuring the file is excluded from version control. This increases the chance of accidental credential exposure through source control, backups, logs, or broader local file access, especially because API tokens are long-lived secrets.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script issues a POST to a redact endpoint immediately based only on CLI arguments, with no confirmation prompt, dry-run mode, or validation of user intent. Because redaction is destructive or at least materially alters content, this makes accidental or unauthorized modification more likely when run with valid credentials.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script exposes a delete command that immediately issues a DELETE request to the Confluence space-roles endpoint with no confirmation prompt, dry-run mode, or safety interlock. In a CLI that can modify administrative role assignments, a mistyped ID, copy/paste error, or automation mistake can irreversibly remove a role and disrupt access control or operations.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script exposes a destructive delete action that immediately deletes a whiteboard based solely on command-line input, with no confirmation prompt, dry-run mode, or guardrail against accidental invocation. In a CLI skill that operates against live Confluence Cloud content, this increases the likelihood of unintended data loss from user error, automation mistakes, or malformed inputs.

Ssd 3

Medium
Confidence
90% confidence
Finding
Including a real personal email address in sample credential configuration normalizes placing account-identifying data directly into setup docs and may expose a real individual's identity. In a credential setup context, this increases the risk of copy-paste misuse, privacy leakage, and encourages users to treat sensitive identifiers casually.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.