ClawHub

Cms Cwork Skils

Security checks across malware telemetry and agentic risk

Overview

This looks like a real CWork integration, but it needs review because it sends appKey-authenticated business data with TLS verification disabled and bundles internal-looking sample results.

Install only in a controlled CWork environment after reviewing the scripts. Require TLS verification to be enabled before use, avoid broad or external logging of employee/message data, remove bundled run-result data if it contains real internal content, and require explicit confirmation before report submission, replies, todo completion, mark-read actions, file uploads, or dependency installation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (52)

Tainted flow: 'headers' from os.environ.get (line 29, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
}
    
    try:
        response = requests.post(
            API_URL,
            json=payload,
            headers=headers,
Confidence
98% confidence
Finding
response = requests.post( API_URL, json=payload, headers=headers, verify=False, allow_redirects=True, timeout=60,

Tainted flow: 'headers' from os.environ.get (line 37, credential/environment) → requests.get (network output)

Critical
Category
Data Flow
Content
headers = {"appKey": app_key}
    
    try:
        response = requests.get(
            API_URL,
            params=params,
            headers=headers,
Confidence
99% confidence
Finding
response = requests.get( API_URL, params=params, headers=headers, verify=False, allow_redirects=True, timeout=60,

Tainted flow: 'headers' from os.environ.get (line 32, credential/environment) → requests.get (network output)

Critical
Category
Data Flow
Content
headers = {"appKey": app_key}
    
    try:
        response = requests.get(
            API_URL,
            params=params,
            headers=headers,
Confidence
98% confidence
Finding
response = requests.get( API_URL, params=params, headers=headers, verify=False, allow_redirects=True, timeout=60,

Tainted flow: 'headers' from os.environ.get (line 32, credential/environment) → requests.get (network output)

Critical
Category
Data Flow
Content
headers = {"appKey": app_key}
    
    try:
        response = requests.get(
            API_URL,
            params=params,
            headers=headers,
Confidence
95% confidence
Finding
response = requests.get( API_URL, params=params, headers=headers, verify=False, allow_redirects=True, timeout=60,

Tainted flow: 'headers' from os.environ.get (line 91, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
headers = {"appKey": app_key, "Content-Type": "application/json"}
    
    try:
        response = requests.post(
            API_URL,
            json=payload,
            headers=headers,
Confidence
99% confidence
Finding
response = requests.post( API_URL, json=payload, headers=headers, verify=False, allow_redirects=True, timeout=120,

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill declares no explicit permissions, yet its documentation clearly describes capabilities involving environment-variable access, file reads/writes, and network/API calls, including authentication bootstrap and package installation. This creates a transparency and least-privilege problem: a caller or platform may underestimate the skill's effective reach, increasing the chance of unsafe execution or overbroad trust in a skill that can access sensitive credentials and external services.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The README explicitly instructs operators to record search keywords, timestamps, hit counts, and the selected employee's details to session or external logs. For an employee-search skill, this creates unnecessary retention and propagation of personal and organizational data beyond the primary business purpose, increasing privacy, insider misuse, and secondary disclosure risk.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The script disables TLS certificate verification and suppresses the resulting warnings, so HTTPS no longer guarantees the server is authentic. An on-path attacker could intercept or modify requests and responses, exposing the appKey and employee org data or returning tampered data to the caller.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The script presents itself as safely retrieving download information while globally suppressing InsecureRequestWarning and later disabling TLS certificate verification. This makes man-in-the-middle interception of file metadata, download URLs, and the appKey header materially more likely, especially because the warning that would alert operators is hidden.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The script globally suppresses InsecureRequestWarning specifically because it is making HTTPS requests with certificate verification disabled. This hides active transport-security failures from users and increases the chance that credential-bearing requests will be sent over an untrusted TLS session without detection.

Context-Inappropriate Capability

Medium
Confidence
100% confidence
Finding
The request sends both the appKey and request payload over HTTPS with verify=False, which disables server certificate validation. An attacker on the network path could intercept or modify traffic, steal the appKey, and tamper with the returned collaboration data or responses.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The script explicitly disables TLS certificate verification and suppresses the warning that would alert operators to the risk. Because it sends an appKey-authenticated request to a remote HTTPS endpoint, an attacker positioned on the network could perform a man-in-the-middle attack, intercept credentials, and tamper with responses.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The script globally suppresses InsecureRequestWarning specifically because it uses verify=False, which hides an active TLS security failure from operators. In a collaboration/report-detail skill, the request carries both an appKey and report identifier, so suppressing certificate warnings makes interception of sensitive business data and credentials much harder to notice.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The HTTPS request explicitly disables certificate verification, which allows a man-in-the-middle attacker to impersonate the remote API endpoint. Because this call includes an authentication header and fetches report details, exploitation could expose credentials and sensitive internal report content or permit response tampering.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The script globally suppresses InsecureRequestWarning specifically because it uses verify=False, which hides an important security warning from users and developers. In a skill that sends authenticated requests containing an appKey, this increases the chance that insecure TLS usage goes unnoticed and credentials or response data are intercepted.

Context-Inappropriate Capability

High
Confidence
100% confidence
Finding
The HTTPS request explicitly disables certificate validation while transmitting both authentication material and business data. This enables man-in-the-middle interception or response tampering, which is especially dangerous in a work-collaboration/reporting context that may contain sensitive internal content.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The script disables TLS certificate verification and suppresses the resulting warnings while sending an appKey-authenticated request. This allows a man-in-the-middle attacker or TLS-intercepting proxy to impersonate the remote server, read the appKey, and tamper with the API response without the user being alerted.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The script globally suppresses InsecureRequestWarning specifically because it uses verify=False, which hides an unsafe transport configuration from operators. This makes man-in-the-middle attacks harder to detect and increases the chance that credentials and todo content are sent to an attacker-controlled endpoint without notice.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The HTTPS request explicitly disables certificate verification during an authenticated API call. An attacker on the network path could impersonate the server, intercept the appKey, read or alter todo completion content, and potentially change workflow actions such as agree or disagree.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The script disables certificate validation and suppresses the warning that would normally alert operators to that unsafe behavior. Because the request carries an appKey authentication header, a man-in-the-middle attacker could intercept or tamper with API traffic and steal the credential or alter response data.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The script globally suppresses InsecureRequestWarning and performs HTTPS requests with verify=False, which disables certificate validation. This allows man-in-the-middle interception or spoofing of the API endpoint, exposing returned data and the appKey sent in headers.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The script explicitly disables TLS certificate verification and suppresses the corresponding warning, while sending an appKey and employee search data over HTTPS. This enables man-in-the-middle interception or tampering on untrusted networks, allowing credential exposure and response manipulation.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README documents bulk employee lookup and organizational hierarchy queries, including names, IDs, manager relationships, and department data, but provides no guidance on minimizing, protecting, or restricting handling of this sensitive internal data. In an agent skill context, this omission can normalize broad collection and logging of personnel data, increasing the risk of unnecessary exposure through prompts, logs, downstream tools, or user-visible outputs.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README explicitly requires complete logging of inbox query parameters and result metadata, but provides no guidance on minimizing, redacting, or protecting potentially sensitive mailbox-derived data. In a work-report/inbox context, query filters, message subjects, counts, and timestamps can reveal employee activity and internal business information, increasing privacy and data-retention risk if logs are broadly accessible or retained too long.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly requires complete logging of mailbox query context, including query time, paging parameters, filter conditions, and result counts, but it provides no data-minimization or privacy guidance. In a work-report outbox context, even metadata about who queried what, when, and with which filters can reveal sensitive employee activity patterns and reporting behavior, creating unnecessary privacy and audit-log exposure.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal