ClawHub

Agent Cluster

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but its package describes a much broader, more powerful business automation system than the user-facing CMS summary suggests.

Install only after reviewing the full scope with an administrator. Treat this as an enterprise automation framework, not just a CMS helper: it may need ERP/CMS/Amazon/model credentials, can write or delete commerce resources, stores local logs/memory/snapshots, and contains under-disclosed marketing, security-audit, and customer-service capabilities. Use separate credentials with least privilege and avoid enabling live write operations until the manifest, permissions, approval gates, and platform connectors are corrected.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (103)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The manifest advertises significant capabilities via dependencies, environment variables, and documented components (networked ERP adapters, MCP servers, file-backed config/logging) without declaring corresponding permissions. This is dangerous because users and enforcement layers cannot accurately understand or constrain what the skill may access, enabling unexpected network, environment-secret, MCP, and filesystem operations once installed.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The skill’s stated purpose is a narrow foreign-trade multi-CMS assistant, but the documentation describes a much broader execution framework spanning ERP orchestration, MCP servers, model routing, memory, audit/rollback, and other enterprise functions. This mismatch is dangerous because it can mislead users into authorizing a far more powerful system than expected, increasing the chance of unintended data access, external actions, and unsafe activation in unrelated contexts.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The design materially exceeds the declared skill scope by adding GEO marketing, Amazon ops, customer service, security auditing, and orchestration infrastructure. This scope creep increases effective privileges, data access paths, and invocation surface, making it easier for the skill to perform actions or gather data a user would not reasonably expect from a B2B multi-CMS coordination tool.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
A built-in security-audit agent with API key handling, PII detection, log auditing, and MCP vulnerability scanning is highly sensitive and not justified by the advertised business function. In this context, it normalizes access to secrets, logs, and broad internal telemetry, which could expose confidential data or enable lateral inspection beyond user expectations.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The customer-service agent is outside the stated operational/CMS coordination scope and introduces handling of user inquiries, complaints, histories, and automated replies. That broadens data processing into potentially sensitive customer communications without corresponding justification, notice, or clear boundaries.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The GEO and marketing optimization block adds a large unrelated capability set, including market research, competitor intelligence, multilingual publishing, and monitoring. In a skill advertised for foreign-trade CMS coordination, this creates unexpected external data collection and decision-making pathways that raise privacy, misuse, and overreach risks.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The implementation plan materially expands the skill from a declared foreign-trade multi-CMS workflow into a 30-agent GEO/Amazon marketing cluster. This scope mismatch is dangerous because users and operators may grant trust, permissions, or deployment approval based on the manifest while the actual design enables substantially broader data access, automation, and business actions than advertised.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The planned capabilities focus on Amazon listing, ads, profit, and inventory optimization rather than the stated CMS orchestration use case. That discrepancy can conceal higher-risk automation such as market manipulation, external platform interaction, and financially consequential actions under a benign-seeming package description.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The GEO/content-marketing agents extend the system into market research, competitor analysis, and strategic content generation beyond the declared B2B CMS support scope. Hidden capability expansion increases the attack surface and can lead to unauthorized data ingestion, external content operations, and trust boundary violations.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The plan explicitly proposes anti-crawling evasion using multi-IP pools and request spacing. This is dangerous because it facilitates bypassing third-party access controls and can be used for unauthorized scraping, policy violations, or abusive collection at scale, which is outside the stated CMS orchestration purpose.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The registry defines a much broader operational surface than the skill metadata advertises, including Amazon operations, GEO/SEO, content generation, customer service, memory, and security administration. This kind of scope drift is dangerous because it can enable unexpected execution paths, data access, and external actions that users and reviewers would not reasonably anticipate from a Shopify/WooCommerce/Magento foreign-trade coordination skill.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
Amazon marketplace and advertising agents introduce operational capabilities outside the stated multi-CMS foreign-trade purpose, including listing optimization, ads, reviews, pricing, and inventory actions. If reachable, they could cause unauthorized business actions, cross-platform data use, or user confusion about what systems the skill is allowed to control.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The GEO/SEO and knowledge-graph agents expand the skill into content strategy, search monitoring, structured data, and market intelligence functions that are not described in the manifest. While not inherently malicious, these extra capabilities broaden data collection and action surfaces and make it harder to reason about least privilege and expected behavior.

Context-Inappropriate Capability

Medium
Confidence
78% confidence
Finding
API key management and RBAC maintenance are sensitive administrative capabilities; embedding them in a user-facing skill without clear separation of duties increases the blast radius if the orchestration layer is misused. Even if intended for defensive purposes, these functions should not be generally available to a business workflow skill unless tightly isolated.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The README describes an enterprise ERP/industrial multi-agent system, which materially conflicts with the manifest claiming an Amazon foreign-trade B2B multi-CMS skill for Shopify/WooCommerce/Magento. This kind of scope mismatch is dangerous because users may grant trust, credentials, or approvals under false assumptions about what the skill actually does, increasing the risk of unintended system access or data exposure.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The documented integrations focus on SAP/用友/金蝶 and generic ERP adapters rather than the claimed Shopify/WooCommerce/Magento CMS platforms. This contradiction can mislead operators into deploying the skill in environments where it may access unrelated enterprise systems or request sensitive ERP credentials not expected from the manifest.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The agent roles are centered on ERP-style inventory, procurement, logistics, finance, and even document/BOM generation, which diverges from the stated foreign-trade CMS use case. This is risky because it expands the apparent operational scope into business functions that may trigger financial or supply-chain actions beyond what a user expects from a CMS-oriented skill.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The manifest claims coordination of only four specialist agents, but the documentation states a 20-agent enterprise system with many additional business functions. Understating the number and breadth of agents is risky because it hides the real operational surface area, making approval, review, and least-privilege decisions unreliable.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The manifest claims coordination of only four specialist agents, but the documentation states a 20-agent enterprise system with many additional business functions. Understating the number and breadth of agents is risky because it hides the real operational surface area, making approval, review, and least-privilege decisions unreliable.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The documented capability expands into broad manufacturing and ERP orchestration that is not justified by the stated foreign-trade multi-CMS purpose. This creates a security problem because a user may invoke the skill expecting storefront support while actually enabling workflows that can touch procurement, finance, inventory, and other sensitive enterprise domains.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The manifest claims Shopify/WooCommerce/Magento support, yet the documentation and file structure emphasize ERP/WMS/SRM integrations instead. This is dangerous because reviewers may approve the skill for limited CMS use while it is primarily oriented around deeper back-office integrations that carry higher data sensitivity and operational risk.

Context-Inappropriate Capability

High
Confidence
85% confidence
Finding
The README documents broad Amazon Seller Central/SP-API capabilities including inventory, pricing, reports, and feed submission that materially exceed the declared CMS-oriented scope. In an agent skill, hidden or unjustified commerce-operation features increase the risk of unauthorized business actions, privilege overreach, and reviewer deception about what the skill can actually do.

Context-Inappropriate Capability

High
Confidence
90% confidence
Finding
The architecture explicitly includes ADMIN-level capability and references administrator credential modification as a dangerous operation, which means the system is designed close to sensitive account-management boundaries. In an agent-driven executor, exposing admin powers materially raises the risk of account takeover, privilege escalation, or destructive platform changes if RBAC, approval logic, or agent identity is bypassed or misconfigured.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The method is named and documented as updating inventory, but it never uses the provided quantity and instead posts a request that appears to query inventory summaries. In an agent-driven commerce system, this creates a dangerous integrity gap: upstream components may believe stock was changed when no change occurred, causing overselling, fulfillment failures, or audit inconsistencies.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The method claims to update pricing but only creates a feed document and returns success-like metadata without uploading or submitting any price payload. This can mislead calling agents into believing prices were changed, creating financial exposure, incorrect quotes, and broken approval/audit workflows in a B2B trading environment.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal