ClawHub

Immens Mcp Fortress

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent WordPress integration, but it gives an agent broad live-site administrative power without enough safety scoping for destructive or business-impacting actions.

Install only for a WordPress access point you intentionally trust with live administrative power. Prefer a staging site or a least-privilege access point first, keep backups available, restrict IPs, and require explicit human approval before deletes, user/account changes, code snippet changes, bulk edits, cache flushes, SEO changes, or WooCommerce/customer operations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill advertises broad WordPress administrative control, including write and destructive operations, but does not warn users that connecting it grants an agent the ability to modify or delete live site content and configuration. In an agent ecosystem, missing capability-risk disclosure can lead to over-trusting the skill and accidental destructive actions on production systems.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The content-management section lists full CRUD and delete-capable media/comment actions without warning that these operations may be irreversible or affect live publishing data. This increases the chance that a user or downstream agent invokes destructive tools without understanding the operational impact.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
User, taxonomy, and menu administration features can alter accounts, permissions, navigation, and site structure, yet the skill does not disclose these risks. In WordPress, unintended user or taxonomy changes can lock out administrators, expose content incorrectly, or break site organization and access patterns.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The integration section includes actions such as code snippet CRUD, cache flushing, translations, SEO settings, WooCommerce data access, and other plugin-level modifications without warning about service disruption, code execution risk, or business impact. These capabilities can affect storefront behavior, search visibility, performance, and potentially introduce unsafe code or break production integrations.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal