ClawHub

CNB OpenAPI Skills

Security checks across malware telemetry and agentic risk

Overview

This skill is a broad authenticated CNB API controller, and its automatic execution guidance lacks clear safeguards for destructive or state-changing actions.

Install only if you intend to give an agent broad CNB account and repository authority. Use a least-privilege CNB_TOKEN, avoid storing it in shared shell profiles or logs, verify CNB_API_ENDPOINT, and require your agent workflow to confirm POST/PUT/PATCH/DELETE, PR merge, permission, build, workspace, and AI auto-PR actions before execution.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (79)

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The manifest frames the skill as a query-oriented integration for code management and collaboration, but the documented API surface includes many write and destructive operations such as deleting repositories, managing members, merging PRs, and starting or stopping workspaces. This mismatch can mislead users and orchestrators into granting or invoking a much more powerful skill than expected, increasing the risk of unauthorized state-changing actions with the bearer token.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The documentation claims 'complete' CNB OpenAPI access, including AI-driven PR creation and workspace lifecycle operations, which materially exceeds a normal read/query skill. In context, this turns a seemingly informational connector into a broad remote-action capability that can modify code, infrastructure-like workspaces, and repository state using ambient credentials.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The document gives conflicting authorization semantics: it states the caller must have repo write permission, while the permission section lists only repo-code:r. In security-sensitive API documentation, this can lead integrators to grant excessive access or incorrectly rely on weaker checks, causing authorization mistakes and potential privilege misuse.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill metadata frames the capability as primarily for querying development data, but this file documents a destructive DELETE operation that removes release assets. That mismatch can cause an agent or user to authorize or invoke a high-impact action under a misleading read-only expectation, increasing the chance of unintended destructive behavior.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The documented endpoint performs a state-changing administrative action (archiving a repository) even though the skill metadata frames the capability primarily as querying development data. This mismatch increases the risk that an agent or user may invoke destructive write operations under a broader, seemingly read-oriented trust model, potentially disrupting repository access and workflows.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill explicitly instructs the agent to automatically execute authenticated curl requests and not ask for confirmation before acting. Because the available API set includes destructive and privileged operations, this removes an important human checkpoint and can lead to accidental deletion, permission changes, merges, or other irreversible actions triggered by ambiguous prompts or prompt-injection-style input.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The skill relies on a bearer token and instructs authenticated network access, but it does not disclose privacy, logging, or credential-handling risks to users. In a skill that may access repositories, issues, emails, members, and other sensitive development data, silent authenticated transmission increases the chance of unanticipated exposure or misuse of privileged data.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The documentation says CodeBuddy will automatically invoke the skill whenever a conversation involves CNB platform operations, but it does not define narrow trigger conditions or require explicit user confirmation. In a skill that can access authenticated CNB APIs, broad auto-invocation increases the chance of unintended activation and overbroad data access or action selection from ambiguous user prompts.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The examples and usage text describe creating issues and performing merge-request related operations, but they do not prominently warn that these actions can modify remote CNB data when the skill runs in Craft or Agent modes. Because the skill uses CNB_TOKEN for authentication, a user may not appreciate that natural-language requests could trigger real changes to repositories or collaboration artifacts.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The example agent executes model-generated `curl` commands automatically, with no user confirmation, allowlist, or command validation. Because the model output is influenced by user input and remote prompt/context, this creates a prompt-injection-to-action path that can trigger unintended external requests, misuse the bearer token, or access sensitive CNB resources under the caller's authority.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation shows sending the full conversation history to an external AI chat endpoint but does not warn that prompts, repository identifiers, API outputs, and potentially sensitive data may be transmitted off-process. In this skill's context, returned API data may include internal development metadata, making inadvertent disclosure more likely if users assume everything stays local.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The agent loop executes model-generated `curl` commands automatically via `execCurl(action.value, CURL_VARS)` with an authenticated token substitution, and no user confirmation, allowlist, or command restrictions are shown. In this skill context, that is especially dangerous because the model is connected to repository-management APIs and holds `CNB_TOKEN`, so prompt injection or model error could trigger unauthorized reads, writes, or destructive API actions against CNB resources.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The documentation states that OpenClaw will 'automatically call' the skill whenever a conversation involves CNB platform operations, but it does not define narrow trigger boundaries or require explicit user confirmation. In a skill that can read and modify remote development resources, overly broad auto-invocation increases the chance of unintended API calls and surprise execution against real repositories or collaboration objects.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The file instructs users to export CNB_TOKEN but does not clearly warn that it is a sensitive credential with account and API privileges. This can lead users to place the token in shell history, shared config files, screenshots, or logs, increasing the risk of credential disclosure and unauthorized access to CNB resources.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation describes automatic use of the skill for repository, Issue, and merge request operations, including examples of creating issues, without warning that these actions may modify remote data. In a live development platform context, this can cause unintended writes, workflow disruption, or changes performed under the user's credentials without sufficiently informed consent.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The matcher includes many very generic terms such as "security", "tag", "build", "event", and "member", so the skill can be suggested for many unrelated user requests. In an agent environment, over-triggering can steer workflows toward this skill unnecessarily, increasing the chance of unintended API usage, token exposure through downstream calls, or user confusion about why CNB-related actions are being invoked.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill explicitly describes AI-driven automatic coding and PR creation but does not warn users that invoking it can produce repository changes with limited human review. In a developer tooling context, this increases the risk of unsafe, unintended, or policy-violating code being committed through automation.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation notes repo-code:rw permission and bearer-token authentication but does not clearly warn that this endpoint performs authenticated write operations against a repository. Users may underestimate the sensitivity of the required token and the consequences of exposing or misusing a write-scoped credential.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This API sends user-supplied chat messages to a remote AI service, but the documentation does not warn users that repository-related content may leave the immediate local context or carry privacy/compliance implications. In a developer tool context, prompts may include source code, secrets, internal issue data, or other sensitive material, so lack of disclosure increases the risk of unintended sensitive-data exposure.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This documentation exposes a high-impact destructive DELETE operation using repo-manage:rw privileges but provides no warning, confirmation guidance, or safety constraints. In an agent skill context, undocumented destructive actions increase the risk of accidental or prompt-induced deletion because an automated agent may invoke the endpoint without explicit user confirmation or clear guardrails.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This documentation exposes a destructive DELETE endpoint that permanently removes pipeline log content, but it provides no warning about irreversibility, no confirmation guidance, and no mention of safety checks. In an agent skill context, that omission is risky because an automated system may invoke the operation directly from a user prompt, increasing the chance of accidental or unauthorized data destruction.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The documentation describes an action that can trigger builds and inject arbitrary environment variables and YAML config, but it does not warn users about the operational and security consequences. In an agent skill context, this increases the chance of unsafe use, such as triggering costly builds, altering CI behavior, or exposing secrets through build-time parameters.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation exposes a destructive operation that stops a build but does not warn about service disruption, workflow interruption, or the need for user confirmation. In an agent skill context, this increases the chance that an automated system could invoke the action on behalf of a user without clearly surfacing the operational consequences.

Missing User Warnings

Low
Confidence
84% confidence
Finding
This documentation describes an authenticated state-changing operation that creates a remote branch but does not explicitly warn that invoking it will modify repository state. In an agent skill context, insufficient disclosure around side effects can lead users or downstream automation to trigger repository changes unintentionally with valid credentials.

Missing User Warnings

Low
Confidence
89% confidence
Finding
This documentation exposes a state-changing API operation that locks a repository branch and requires write scope (`repo-code:rw`), but it provides no warning, confirmation guidance, or constraints around when it is appropriate to use. In an agent skill context, this increases the chance that an automated workflow could lock important branches unintentionally, disrupting development and blocking pushes or merges.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal