ClawHub
Back to skill

Security audit

Sanity Cms

Security checks across malware telemetry and agentic risk

Overview

The skill is coherent for Sanity CMS publishing, but it needs review because it can make authenticated changes to production CMS data without a strong confirmation boundary.

Review before installing. Use a least-privilege Sanity token, prefer a staging dataset, keep draft mode enabled unless you explicitly want live publication, and confirm the project, dataset, document type, document ID, and asset upload before each run.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill instructs the agent to execute a shell script (`publish_draft.sh`) but does not declare shell/code-execution permissions. Hidden or undeclared execution capability weakens user and platform trust boundaries, because invoking the skill can trigger local command execution and outbound publishing with write credentials.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger scope is very broad: it applies to creating drafts, pushing documents, uploading images, and converting content for any schema. That breadth increases the chance of unintended invocation for ordinary content-editing requests, which could lead to unexpected remote publication or preparation of publishable artifacts without sufficiently specific user intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill description directs sending content and media to a remote CMS using a write-enabled API token, but it does not prominently disclose external data transfer risk or credential sensitivity. This can cause users or orchestrators to pass sensitive drafts, images, or proprietary content to a third-party service without informed consent.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation includes write-capable curl examples using a write-enabled Sanity API token and endpoints that can upload assets or create/replace documents, but it does not place a prominent safety warning immediately around those examples about modifying real tenant data. In this skill's context, that is meaningfully risky because the skill is specifically designed to publish content to arbitrary Sanity instances, so users or downstream agents may execute the examples against production datasets and unintentionally alter live content.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal