ClawHub

Gsdata

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real GSData adapter, but it includes admin/write and raw API abilities beyond simple lookup, so it should be reviewed carefully before use.

Install only if you trust the publisher and intend to let an agent use your GSData credentials. Prefer least-privilege GSData keys, avoid broad automatic activation, review every --allow-write or raw-route command before it runs, and use an HTTPS GSData endpoint if the service supports it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill uses sensitive capabilities including environment-based credentials, local file access, and network/API access, but does not declare permissions or clearly scope those capabilities. This weakens policy enforcement and review because a caller may invoke a skill that can access secrets and external services without explicit visibility into that risk.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose presents the skill as a read-oriented data query tool, but the actual behavior includes write-capable operations and arbitrary raw endpoint access. That mismatch is dangerous because users, reviewers, or orchestrators may trust the skill for low-risk retrieval while it can perform state-changing actions or reach unreviewed API paths using privileged credentials.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The adapter exposes a `gsdata_raw` path that allows callers to invoke arbitrary backend routes, bypassing the manifest's query-oriented abstraction and any tool/action allowlist. Although `_is_write_route` blocks some obvious write paths unless `allow_write` is set, arbitrary route selection plus caller-controlled method still materially expands capability and can reach undocumented or misclassified endpoints.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill includes public-sentiment warning management actions such as create, update, open, close, and recipient email modification, which are state-changing operations outside the stated read/query use case. Even with the `allow_write` safeguard, surfacing these operations in the same skill increases the chance of accidental or unauthorized administrative changes if the flag is exposed or misused.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The skill metadata frames this integration as query-oriented access for account/content/rank/pubsent/NLP lookups, but the mapping also includes state-changing endpoints for custom ranking management and warning administration. That mismatch expands the granted capability surface beyond user-expected read/search behavior, increasing the chance of unauthorized modifications, persistence, and misuse through prompt-induced tool selection.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
Custom group and account management endpoints permit modifying stored account groupings, adding accounts by URL, and deleting entries, even though the stated purpose is data querying and public-opinion search. In an agent setting, this creates an over-privileged skill where innocuous search requests could be steered into persistent account-management actions that alter user state or monitored entities.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
Warning-rule creation, updates, open/close operations, and recipient email management allow the skill to configure ongoing alerting behavior and notification targets, which materially exceeds passive querying. If misused, an agent could create surveillance-like monitoring, redirect alerts to attacker-controlled recipients, or silently disable protections, making the context more dangerous because the skill is presented as a search tool rather than an administrative one.

Vague Triggers

Medium
Confidence
89% confidence
Finding
Broad trigger phrases such as common topical terms can cause the skill to auto-activate in ordinary conversations unrelated to intentional GSData usage. In this context that is more dangerous because the skill has network access, uses credentials, and exposes higher-risk operations, increasing the chance of unintended external calls or confusing tool selection.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The default GSData base URL uses plain HTTP, so requests, query contents, and authentication material in the `access-token` header can be intercepted or modified by any on-path attacker. Because the token is derived from the app secret and route-specific signature, using it over an unencrypted channel meaningfully increases credential replay and tampering risk.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The unconstrained fallback tool creates an ambiguous catch-all path with no declared trigger boundaries or endpoint restrictions. In an agent environment, ambiguous fallback routing can bypass intended tool-selection safety logic and make it easier for broad or unexpected requests to reach powerful underlying functionality.

VirusTotal

54/54 vendors flagged this skill as clean.

View on VirusTotal