ClawHub

Bitly URL Shortner and Manager

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Bitly management helper that uses a local token for documented link and account operations.

Install only if you intend to let this local CLI use a Bitly access token. Use a dedicated or least-privileged token where possible, keep env files outside shared folders with restrictive permissions, review bulk URL inputs and export paths, and avoid sending confidential or internal URLs to Bitly unless that is acceptable for your account.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill documentation advertises capabilities to read environment variables, read and write local files, and make network requests, but it does not declare permissions or boundaries for those actions. In an agent ecosystem, this weakens reviewability and consent because a user or orchestrator cannot easily tell that the skill can access secrets, export local data, and transmit data to Bitly over the network.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The skill instructs users to store Bitly credentials in environment variables or an external env file and supports exporting link data, but it does not warn about sensitive-token handling, local file exposure, or the possibility of exporting account metadata and URLs into other workflows. This increases the chance of accidental credential leakage or unintended disclosure of internal links and analytics data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal