ClawHub

pms-worklog

Security checks across malware telemetry and agentic risk

Overview

The skill matches its stated worklog automation purpose, but it can log into PMS and submit business work records automatically without a final confirmation step.

Install only if you trust the publisher and intend to let this skill act in your PMS account. Before running it, replace the hardcoded date, work item, hours, and description, use environment variables for credentials, review the script's selectors and submit behavior, and delete any saved PMS screenshots after troubleshooting.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script saves screenshots of authenticated PMS pages to a local workspace directory, which can capture sensitive internal data such as work items, employee details, dates, and other page contents unrelated to the minimum data needed for worklog entry. In this skill context, screenshots are not essential to the core automation flow and create a broader data collection surface that could expose internal information if the files are accessed, synced, or retained improperly.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script logs into PMS using credentials and later submits worklog entries automatically without a final user confirmation step before the write action. Because this affects authoritative business records, mistakes in dates, work items, or descriptions can result in unauthorized or incorrect submissions at scale.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Saving screenshots from authenticated PMS sessions without an explicit privacy notice or consent can capture sensitive internal business information and user data incidentally. In the context of an enterprise worklog system, this increases privacy and confidentiality risk because the images may persist on disk outside the application’s normal access controls.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal