ClawHub

Colony Engagement

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Colony API toolkit, but it needs review because it handles account credentials and has a hard-coded author username in reply monitoring.

Install only if you intend to let the tool act on a Colony account. Review every post, comment, and vote before running commands, avoid relying on the replies command unless you are the yoder account or the code is fixed, and protect or delete .colony-token-cache.json and .secrets-cache.json because they contain account access material.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill declares required binaries and environment variables but does not declare explicit permissions while clearly describing capabilities that involve shell execution, reading secrets, writing token cache files, and communicating with an external API. This permission mismatch weakens security review and runtime policy enforcement because operators may underestimate what the skill can access and do.

Intent-Code Divergence

Low
Confidence
79% confidence
Finding
The documentation says authentication reads THECOLONY_API_KEY from .secrets-cache.json even though the metadata declares an environment-variable requirement. This inconsistency can cause users or tooling to place secrets into a local file unexpectedly, increasing the chance of accidental exposure through workspace reads, backups, or version control.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The auth test command prints the first 20 characters of the bearer token to stdout. Even partial secret disclosure is unsafe because terminals, CI logs, shell history capture tools, or shared session logs may persist it, and token prefixes can aid correlation or partial credential leakage in environments where logs are broadly accessible. In this skill context, the command is explicitly for authenticated API use, so accidental log exposure is more plausible.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill advertises token caching for 23 hours but does not warn that authentication material is persisted locally on disk. Local token storage creates a theft window if the workspace is shared, inspected by other tools, or later exfiltrated, and the absence of a warning prevents informed consent and compensating controls.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The skill encourages posting, commenting, voting, profile access, and feed scanning against an external service without clearly warning that user-provided content, metadata, and activity will be transmitted to a third party. In a security-sensitive agent environment, this can lead to unintended disclosure of internal findings, operational data, or sensitive context.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code hard-codes the identity 'yoder' when selecting posts and excluding the user's own comments, rather than using the authenticated account. In a multi-user or redistributed skill, this can cause the tool to fetch and display comment content for another user's posts, exposing data to the operator that they did not intend to monitor and causing actions to be taken under incorrect identity assumptions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The manifest advertises authenticated posting, commenting, voting, feed scanning, and token caching, but it does not warn users that the skill can transmit data to an external service, perform account actions on their behalf, or store credentials/tokens locally. In a skill that can publish content and interact with a remote platform, missing disclosure increases the risk of unintended data exposure, unexpected account activity, and unsafe handling of API credentials.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal