ClawHub

crm-sync-assistant

Security checks across malware telemetry and agentic risk

Overview

The skill has a coherent CRM purpose, but it asks users to enter passwords in chat, sends credentials over plain HTTP, caches bearer tokens locally, and can expose tokens in generated links.

Review carefully before installing. Only use this if you trust the CRM backend and publisher, and avoid entering real passwords into chat unless your organization explicitly approves that workflow. The skill should ideally use HTTPS, a secure auth flow, scoped triggers, and no bearer-token URL fallback before broad deployment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The skill explicitly says raw tokens must not be exposed in URLs, but its fallback logic appends the full bearer token as a query parameter. Tokens in URLs are commonly leaked through browser history, logs, referrers, screenshots, and shared links, allowing session hijacking if captured.

Vague Triggers

Medium
Confidence
87% confidence
Finding
Several trigger patterns are broad enough to activate on generic project or employee-related conversations, including requests about all employees or any named person's projects. Because this skill performs authenticated CRM queries and can expose subordinate data, accidental activation increases the chance of unintended data access or transmission.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill collects employee credentials in chat, sends them to a remote service, and persists tokens locally, yet does not clearly warn users about those handling practices or obtain informed consent. This increases the risk of users disclosing passwords into an LLM-mediated channel without understanding storage and transmission consequences.

Ssd 3

High
Confidence
98% confidence
Finding
The skill instructs the AI to parse account IDs and passwords from free-form chat and use them for login, which is unsafe because chat content may be logged, retained, or exposed to the model/runtime. Handling passwords in natural-language conversation substantially raises credential theft and accidental disclosure risk.

Ssd 3

High
Confidence
98% confidence
Finding
The repeated workflow for re-prompting and reusing passwords during token expiry or account switching normalizes password entry into chat and expands the number of times secrets are exposed. Repeated collection also increases the attack surface for logging, replay, prompt leakage, and operator error.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal