Wrike

Security checks across malware telemetry and agentic risk

Overview

This skill coherently helps an agent manage Wrike through a CLI, with expected but sensitive access to Wrike data and a locally stored API token.

Install only if you trust the `claw-wrike` npm package. Use the least-privileged Wrike token available, protect or remove the local config file when no longer needed, and require explicit confirmation before creates, updates, comments, deletes, or any bulk changes in shared Wrike workspaces.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: The setup directs users to persist the Wrike API token in a local config file under ~/.claw-wrike/config.json, but does not clearly warn about credential-at-rest risks such as filesystem exposure, backup leakage, shared accounts, or accidental inclusion in support bundles. This is not overtly malicious, but it normalizes long-lived secret storage without documenting protections or safer alternatives.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal