ClawHub

Crisp Grocery

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its Crisp grocery purpose, but it handles sensitive account tokens and data with overly broad URL and file-write controls that users should review carefully.

Install only if you are comfortable giving the agent access to your Crisp account data. Avoid using custom API bases or full URLs, store tokens only in a private location, do not save raw API responses unless needed, and review any basket mutation before confirming it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (6)

Tainted flow: 'path' from os.environ.get (line 86, credential/environment) → pathlib.Path.write_text (file write)

Medium
Category
Data Flow
Content
out_dir = Path(os.environ.get("CRISP_OUTPUT_DIR", "artifacts/api"))
        out_dir.mkdir(parents=True, exist_ok=True)
        path = out_dir / save
        path.write_text(json.dumps(payload, ensure_ascii=False, indent=2), encoding="utf-8")
        print(path)
    else:
        print(json.dumps(payload, ensure_ascii=False, indent=2))
Confidence
82% confidence
Finding
path.write_text(json.dumps(payload, ensure_ascii=False, indent=2), encoding="utf-8")

Tainted flow: 'token' from os.environ.get (line 31, credential/environment) → pathlib.Path.write_text (file write)

Medium
Category
Data Flow
Content
if args.token_file:
        path = Path(args.token_file)
        path.parent.mkdir(parents=True, exist_ok=True)
        path.write_text(token, encoding="utf-8")
    print(json.dumps({"sent": payload, "token_saved": bool(args.token_file)}, ensure_ascii=False, indent=2))
Confidence
76% confidence
Finding
path.write_text(token, encoding="utf-8")

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill documentation describes use of environment variables, local token files, helper scripts that read/write files, and network access to the Crisp API, but the static finding indicates these capabilities are not formally declared. This creates a permission-transparency gap: reviewers and users may not understand that the skill can access secrets, local files, and remote services, increasing the risk of unintended data exposure or misuse of authenticated account data.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
request_json accepts any full http/https URL, bypassing the Crisp-only base URL restriction. In an agent skill intended for Crisp grocery operations, this expands capability into arbitrary outbound network access and can be abused for SSRF-like behavior, data exfiltration, or contacting attacker-controlled endpoints with the Authorization header attached.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The docstring claims secrets are not stored unless --token-file is used, but write_output can persist full API responses containing sensitive account, basket, order, or delivery information whenever --save is supplied. This mismatch can mislead users into storing personal data on disk without realizing it.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The login-start flow silently persists the generated token to disk if --token-file is provided, without any warning about credential lifetime, filesystem exposure, or permission requirements. Persisted bearer tokens can be reused to access the user's Crisp account if later disclosed.

VirusTotal

56/56 vendors flagged this skill as clean.

View on VirusTotal