ClawHub

Bp Annual Rewrite

Security checks across malware telemetry and agentic risk

Overview

The skill appears to include credential-backed remote write and upload actions for business-planning data that need clearer scoping and user control.

Install only if you intend this skill to modify BP records and upload attachments. Use a least-privilege token, isolate the needed environment variables, review every diff and file before upload, confirm the target goal ID, and prefer a dry-run or read-only workflow unless you are deliberately publishing changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill performs privileged operations—reading environment-provided secrets, filesystem access, and outbound network calls—yet does not declare those permissions explicitly. This creates a transparency and governance gap: reviewers or runtime policy engines may treat it as lower-risk than it really is, while the skill can still access sensitive BP data and remote APIs.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The metadata describes the skill as an annual BP review/rewrite tool, but the body also authorizes live state-changing actions: applying content diffs to the BP system, uploading files, and binding attachments. That mismatch is dangerous because users, orchestrators, or security controls may invoke it expecting analysis-only behavior, while it can modify production records and persist generated artifacts to remote services.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
This script performs an authenticated POST to a production BP writeback endpoint and applies content changes, which is an active state-changing capability rather than a passive review or package-preparation function. In the stated skill context, that makes the skill materially more dangerous because a user invoking a seemingly review-oriented skill could trigger unauthorized or unintended modifications to business planning data.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script automatically sources API credentials from environment variables and uses them to authenticate a remote write operation. In a skill advertised for annual BP review/rewrite control, embedding credential-backed mutation capability increases the chance of privilege misuse, confused-deputy behavior, and unintended writes if the skill is invoked in a broader agent runtime with secrets available.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The script performs network upload and server-side binding of local artifacts to a BP goal, which exceeds a narrowly scoped local review/rewrite helper and creates an external side effect. In this skill context, that is risky because invoking the script can modify remote business records and transfer data off-host, so misuse or unexpected execution could cause unauthorized changes or data exposure.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The script uploads local markdown contents to a remote API with no interactive confirmation, content preview, or prominent warning about data egress. In a skill intended for BP rewrite governance, these markdown files may contain sensitive internal planning content, so silent transmission to a remote service increases the chance of accidental disclosure.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal