ClawHub

organization-operating-skill

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate organization API tool, but it needs review because it can make live production changes, store reusable session tokens, and issue arbitrary authenticated API requests.

Install only if you trust the publisher and the ZingUp/Groupoo account being operated. Use `--env test` or an explicit test base URL during development, pass a dedicated `--session-file` per account, protect or delete saved session files, and require human approval before production org changes, public posts, activity publishing/cancel/delete, signups, or any use of the generic `request` command.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
97% confidence
Finding
The skill describes executable capabilities that include network access, file read/write, and environment usage, but it does not declare permissions or constraints. That mismatch is dangerous because an agent may perform sensitive actions such as persisting session tokens locally and sending authenticated requests to external APIs without an explicit permission boundary or user awareness.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The `request` subcommand gives callers a generic authenticated HTTP client that can send arbitrary methods, paths, query parameters, and JSON bodies using stored access or refresh tokens. In a skill intended for specific organization/user/post/activity workflows, this bypasses any intended operation allowlist and enables abuse of the user's authenticated session against undocumented or higher-risk API endpoints.

External Transmission

Medium
Category
Data Exfiltration
Content
## Runtime Defaults

- Default base URL is production: `https://api.zingup.club/biz`
- Session state is not written back into the skill repository.
- The safest approach is to pass `--session-file` explicitly.
- If `--session-file` is not provided:
Confidence
89% confidence
Finding
https://api.zingup.club/

Session Persistence

Medium
Category
Rogue Agent
Content
A "help post" is currently just a normal post, so publish it through `post-create`.
  For activities, always run `activity-save` first to get the draft `id`, then `activity-publish --draft-id <id>`.
- Multi-agent usage:
  different accounts must use different `--session-file` values so one token does not overwrite another in the same environment.
- Environment convention:
  default to production; explicitly pass `--env test` for integration testing and `--env local` for local backend work.
Confidence
92% confidence
Finding
write another in the same environment. - Environment convention: default to production; explicitly pass `--env test` for integration testing and `--env local` for local backend work. ## Core Capabi

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal