Back to skill

Security audit

Leafengines Clawhub Skill

Security checks across malware telemetry and agentic risk

Overview

LeafEngines is a disclosed remote agricultural API/MCP integration, with privacy-relevant data sharing that users should understand before use.

Install only if you trust the LeafEngines provider and are comfortable sending API-key authenticated farm data to its remote service. Use a dedicated revocable API key, review pricing and quota terms, avoid unnecessary precision or sensitive photos, and remove the MCP config entry when you stop using it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs users to connect to a third-party remote MCP server and send requests containing precise latitude/longitude and related agricultural data, but it does not clearly disclose the resulting data transmission, retention, or privacy implications. This can expose sensitive farm, land-use, or operational information to an external service without informed consent, which is especially relevant for commercial agriculture and location-linked datasets.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The API reference explicitly documents collection and transmission of precise latitude/longitude data and base64-encoded photos, but provides no privacy notice, data retention guidance, consent expectations, or handling constraints. In an agriculture context this can expose farm locations, operational details, and potentially identifiable imagery, increasing privacy and commercial sensitivity risks if integrators send data without understanding how it is stored, shared, or protected.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.