ClawHub

MindStudio HTTP Request Block Skill

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only guide for configuring MindStudio HTTP Request blocks; it is broad and should be used carefully, but it does not install code, run requests, or hide unrelated behavior.

Install only if users understand that HTTP Request blocks can send workflow data to outside services and can modify or delete records. Use trusted endpoints, send only necessary fields, keep credentials in workflow variables or a secret store, prefer PATCH over PUT for partial updates, and require explicit review for DELETE or full-record replacement operations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The README encourages sending workflow output to external APIs, webhooks, and other services without clearly warning that this may disclose sensitive, personal, or regulated data outside the original system boundary. In a skill whose core purpose is exfiltrating workflow data to third parties, omission of privacy and data-handling warnings can lead users to unintentionally transmit secrets, customer data, or internal content to untrusted destinations.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill’s invocation guidance is unusually broad: it says to use this skill whenever a user mentions HTTP requests, webhooks, or many named services, and even says to always use this skill. That can cause the agent to activate data-transfer behavior in contexts where the user may only be asking conceptual questions, increasing the chance of unnecessary configuration of outbound requests and unintended data disclosure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The description encourages sending workflow output to external APIs and webhooks but does not prominently warn that this may transmit sensitive workflow data outside the platform. Without an explicit warning or consent step, users may unknowingly expose personal, confidential, or regulated data to third-party services.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The examples encourage sending personal and workflow-generated data such as names, email addresses, summaries, and timestamps to third-party services, but they do not warn users that this is external data disclosure with privacy, compliance, and consent implications. In a skill specifically meant to configure outbound HTTP requests, omission of a disclosure/consent step makes accidental oversharing more likely.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The Airtable PUT example presents full-record replacement without clearly warning that PUT semantics can overwrite omitted fields, causing unintended data loss or corruption. Because this is instructional content, users may copy the pattern directly and destroy existing record data they did not intend to modify.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The description instructs the agent to use this skill whenever a user mentions a wide range of API- or integration-related concepts and explicitly says to 'always use this skill.' That broad routing can cause the skill to activate for loosely related requests and increases the chance that sensitive workflow data is sent to external endpoints without sufficiently specific user intent or safety checks.

Vague Triggers

Medium
Confidence
89% confidence
Finding
Several trigger phrases such as 'webhook,' 'send data to,' 'fetch data from,' and 'update a record' are generic enough to match common conversation patterns unrelated to safe external transmission. This can lead to unintended skill activation and unsafe progression toward outbound requests or state-changing API calls.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal