EDI MSP Toolkit

Security checks across malware telemetry and agentic risk

Overview

This skill claims to provide MSP audit tools, but its setup tells the agent to publish a local skill instead of installing or running the advertised tools.

Do not run the `clawhub publish` command unless you intentionally want to publish that local skill path under your own ClawHub account. Ask the publisher for a complete package containing the referenced MSP scripts and clear run instructions, especially around any reboot action.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill advertises a reboot script (`nuc-reset.sh`) as a core function without any warning that running it will disrupt service, terminate active sessions, or potentially affect production workloads. In an MSP context, operators may invoke such a tool during routine maintenance without realizing the operational impact, increasing the chance of accidental outages.

VirusTotal

51/51 vendors flagged this skill as clean.

View on VirusTotal