ClawHub

Outline MCP

Security checks across malware telemetry and agentic risk

Overview

This Outline skill is mostly transparent about its purpose, but it gives agents broad power to read local files, upload them remotely, and make authenticated workspace changes.

Install only where the agent is trusted to modify your Outline workspace and read local files for upload. Use the least-privileged Outline API key available, avoid running it from a host account that can access secrets or private folders, and consider blocking or closely monitoring the raw api and upload modes unless you specifically need them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill requires sensitive environment variables (`OUTLINE_API_KEY`, `OUTLINE_URL`) and explicitly declares them under metadata, but the finding indicates no corresponding declared permissions model for that access. This creates a transparency and least-privilege problem: agents or operators may not realize the skill can consume secrets and use them to read, modify, and upload content into the connected Outline workspace, including local-file-assisted uploads described in the skill.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script accepts a comma-separated list of absolute file paths from the command line and reads each with fs.readFileSync after only checking fs.existsSync, with no path allowlisting, sandboxing, or user confirmation. In the context of an AI-facing MCP bridge, this broadens the skill from remote Outline operations into arbitrary local file access, which can expose sensitive host files and then exfiltrate them by uploading to Outline storage.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script exposes a generic 'api' mode that accepts an arbitrary Outline API path from the command line and sends an authenticated POST with the bearer token. That materially expands the skill beyond a narrow MCP bridge into a general authenticated API proxy, enabling access to endpoints and actions not constrained by the declared tool surface or expected agent workflow.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The upload flow reads any local file path supplied in JSON and posts the file to a caller-controlled URL with no host validation. In an agent setting, this creates a direct local file exfiltration primitive: an attacker who can influence arguments can cause sensitive local files to be uploaded to arbitrary infrastructure instead of Outline-controlled storage.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code uses a user-controlled filePath and uploadUrl to read a local file and transmit it remotely, without ensuring the destination belongs to Outline or the file is within an expected upload scope. This is a strong arbitrary file exfiltration capability and is especially dangerous because the skill explicitly has local filesystem access, increasing the chance that secrets, configs, or user documents could be leaked.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The script performs an update_document call using a caller-supplied editMode, including potentially destructive modes like replace, without any interactive warning, dry-run, or confirmation of the target document and final content. In an agent automation context, this raises the risk of accidental or prompt-induced bulk defacement, overwriting, or unauthorized modification of workspace content at scale.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The upload path sends local file contents off-host based only on provided arguments and logs success or failure afterward; there is no explicit warning, preview, or consent check before transmission. In an AI-agent context, silent outbound transfer of local files increases the risk of unintended disclosure because users may not realize a local path is being read and uploaded.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal