ClawHub

Erxes

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed erxes management skill, but it gives an agent broad power to change business and user-account data without clear confirmation safeguards.

Install only if you want an agent to operate your erxes workspace with the authority of the OAuth account. Use a least-privilege account where possible, verify the erxes endpoint before login, require explicit confirmation for deletes, merges, team-member changes, organization changes, and automation changes, and treat the printed session JSON as a secret.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill metadata says it manages contacts, companies, products, tags, documents, brands, automations, team members, and organization data, and this file explicitly documents organization and team-member administration APIs including user invitation, user editing, department creation, and branch creation. In an agent skill, exposing broader administrative capabilities materially increases the chance that a user request or prompt injection could lead to account provisioning or org-structure changes beyond what a narrowly scoped data-management integration would need.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill advertises create, update, delete, merge, activate, and disable operations across many business objects without requiring confirmation or warning about irreversible changes. In an agent setting, this increases the risk of accidental destructive actions against production CRM and organization data.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The file documents destructive removal mutations such as customersRemove without any confirmation, dry-run guidance, or warning about irreversible data loss. In an agent context, that omission is dangerous because an LLM or user can trigger deletions directly from natural-language instructions, increasing the risk of accidental or socially engineered destructive actions.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documented edit and merge operations can overwrite or combine customer records without any warning about integrity risks, field precedence, or rollback limitations. In a CRM setting, silent modification or merging can corrupt identity and contact data, which is especially risky when actions may be driven by ambiguous natural-language requests.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The usersInvite example includes a plaintext password in request variables and provides no warning about credential handling, secure invitation flows, or secret redaction. This normalizes insecure credential practices and could lead operators or downstream tooling to log, store, or expose passwords in prompts, docs, traces, or analytics systems.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script prints a JSON object containing the OAuth access token directly to stdout. In agent or automation contexts, stdout is commonly captured in logs, shell history, workflow artifacts, or downstream tool outputs, which can unintentionally expose a bearer token that grants API access to the erxes instance.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal