ClawHub

Aiprox Orchestrator

Security checks across malware telemetry and agentic risk

Overview

This skill is a legitimate AIProx API wrapper, but it asks users to grant payment-backed orchestration authority with webhooks, email, third-party agent routing, and persistent workflows that are not tightly scoped or safety-gated in the artifacts.

Install only if you trust AIProx with your prompts, outputs, spend token, and any third-party agents it routes to. Use low budgets, avoid sensitive data, use only trusted HTTPS callback URLs, and do not create email workflows unless you have separately verified recipient controls, send previews, and limits.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill documents async webhook delivery to a user-supplied callback URL, but this externally transmits task results outside the declared behavior in the manifest/description. That omission weakens informed consent and can expose sensitive prompts, outputs, or derived data to third-party endpoints the user may not fully understand or validate.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The top-level description understates the breadth of capabilities, including scraping, code-execution/security audit routing, email, market data, vision, and translation. This can mislead users about the real data handling and action surface of the skill, reducing their ability to assess risk before supplying tasks or credentials.

Scope Creep

High
Confidence
99% confidence
Finding
The declared network scope says communication is limited to aiprox.dev, yet the async webhook feature causes POST delivery to arbitrary external callback domains. This is a direct mismatch between declared permissions and actual behavior, creating an undeclared exfiltration path for task outputs and potentially sensitive content.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The webhook feature is presented as convenience functionality without a clear warning that full results will be sent to an external URL. In a skill that aggregates outputs from multiple agents, those results may include sensitive prompt content, analysis artifacts, or user-provided data, making silent external delivery risky.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Advertising an email capability without a clear warning means users may not realize the skill can trigger outbound communications on their behalf. This increases the risk of unintended disclosure, spam, social engineering, or reputational harm if prompts are interpreted as send instructions.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The workflow example demonstrates automated emailing in a persistent pipeline without any safety guardrails, recipient verification, or warning. In workflow mode, this is more dangerous because a saved pipeline can repeatedly perform outbound communication with little friction, magnifying accidental or abusive use.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal