ClawHub

ServiceNow Agent

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed read-only ServiceNow CLI skill, with credential and sensitive-data risks that are expected for the integration but should be handled carefully.

Install only if you intend to give the skill read access to ServiceNow. Use a scoped read-only ServiceNow account, prefer environment variables or a protected .env over command-line passwords, keep queries narrow with sysparm_limit and sysparm_fields, and ignore any POST/PUT/PATCH/DELETE endpoints present in the reference YAML files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (12)

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The OpenAPI spec explicitly exposes POST upload endpoints and a DELETE attachment endpoint even though the skill metadata claims read-only access. In an agent context, this mismatch is dangerous because downstream tooling or users may trust the manifest and unknowingly grant a capability that can modify or destroy records and exfiltrate data via uploaded content.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The API description states that attachments can be uploaded, downloaded, and removed, directly contradicting the skill's stated read-only purpose. This creates a security-signaling failure: operators and agents may rely on the high-level description and miss that the skill includes state-changing actions, increasing the chance of unauthorized modification or deletion.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The OpenAPI spec clearly exposes numerous state-changing POST, PUT, and DELETE endpoints such as checkout, submit_order, add_to_cart, order_now, and delete item/cart operations, which contradicts the skill metadata claiming read-only CLI access. This mismatch is dangerous because downstream agents or users may trust the manifest and invoke actions that place orders, alter records, or delete cart contents, causing unauthorized changes in ServiceNow.

Scope Creep

High
Confidence
99% confidence
Finding
The declared read-only scope is exceeded throughout the specification by exposed write and delete operations, including cart modification, order submission, template duplication, variable updates, and step deletion. Scope overreach is a security issue because policy engines, reviewers, or autonomous agents may permit this skill under false assumptions, enabling unintended privileged actions against production ServiceNow resources.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The OpenAPI description explicitly states the Table API supports create, read, update, and delete operations, which conflicts with the skill metadata claiming read-only access. This mismatch is dangerous because downstream agents or users may trust the manifest and invoke a capability set that can modify or destroy ServiceNow records.

Scope Creep

High
Confidence
99% confidence
Finding
The spec exposes POST, PUT, PATCH, and DELETE methods on table records, granting write and destructive actions beyond the declared read-only scope. In an agent setting, this can lead to unauthorized record creation, alteration, or deletion if the agent, wrapper, or user relies on the manifest rather than inspecting the raw API definition.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill explicitly instructs use of ServiceNow credentials and broad read access to records, attachments, schema, and ticket history, but it does not prominently warn that these operations may expose sensitive enterprise data such as incidents, comments, attachments, user details, or internal catalog information. In an agent setting, this increases the risk of over-collection or inadvertent retrieval of confidential data because the skill frames the capability as routine and safe due to being read-only.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The spec exposes destructive DELETE operations for cart items and cart emptying without descriptions warning that they remove user state or may be irreversible. In an agent setting, missing warnings increase the chance of accidental invocation, leading to loss of pending requests or disruption of user workflows.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The checkout and submit_order endpoints are mutating operations that can commit service requests, yet the spec gives no warning that they may place orders or trigger downstream fulfillment. In a skill advertised as read-only, this omission is especially dangerous because an agent could submit real requests under the mistaken belief it is only retrieving information.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The order_now endpoint can immediately place a catalog order, but the spec lacks any warning about its transactional effect or the potential business impact. Because the surrounding skill context claims read-only access, this endpoint is particularly risky: a user or autonomous agent may invoke it without realizing it creates real service requests.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Destructive and state-changing operations are documented without any warning, confirmation requirement, or safety guidance, increasing the chance that an agent or user will execute them unintentionally. While the root issue is broader overexposure of write methods, the absence of warnings further elevates accidental misuse risk in an environment expected to be read-only.

Credential Access

High
Category
Privilege Escalation
Content
## CLI

Use the bundled CLI for all reads. It pulls auth from .env by default. You can override with flags.

### Command overview
Confidence
95% confidence
Finding
.env

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal