ClawHub

NaviOffice Skill

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real NaviOffice integration, but it needs review because it can use an API token to read and change sensitive business data and includes an unrestricted raw API request path.

Install only if you trust the publisher and can provide a least-privilege NaviOffice token. Avoid production admin tokens, do not enable custom domains unless you control the endpoint, and do not use the raw command with full URLs because it can send the API token outside the official service. Users should confirm every write operation involving HR, finance, sales, contracts, purchasing, or inventory before execution.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (17)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill advertises access to environment variables, network, and shell-capable scripts but does not declare corresponding permissions. That creates a trust and review gap: operators may install or approve the skill without understanding it can read secrets, make outbound requests, and invoke local commands, which materially increases the blast radius if the skill is misused or compromised.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
A description-behavior mismatch is security-relevant here because the skill claims bounded OA functionality across named modules, while analysis indicates it also exposes generic/raw API access to arbitrary reachable endpoints on the configured backend. This can let an agent or user perform undocumented actions, bypass intended scope restrictions, and hit sensitive administrative or destructive endpoints using the provided API token.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The document explicitly instructs the agent to use a generic raw request mechanism that can compose arbitrary HTTP methods, paths, bodies, and headers. In an MCP skill intended for CRM-focused queries and business operations, exposing unrestricted raw transport semantics weakens scope boundaries and can let an agent reach undocumented or higher-risk endpoints, increasing the chance of unauthorized actions or data access if the agent is prompted adversarially or behaves incorrectly.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
This section goes beyond documenting normal CRM pagination and search and teaches direct raw POST access to custom paths such as `/contract/payment-record/page`, explicitly describing raw path selection to bypass CLI structure limits. That creates a capability-escalation pattern: an LLM agent can be induced to target any reachable API path under the same credentials, including sensitive or state-changing endpoints not intended by the skill's declared purpose.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The generic raw command allows arbitrary authenticated requests to the backend using the configured API token, bypassing the narrower CRM command constraints. In a skill context, this materially expands capability from documented helper functions into unrestricted API access, enabling sensitive data access or state-changing operations across the OA platform if the token is privileged.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The raw API function allows arbitrary authenticated requests using the configured X-Api-Token, bypassing the narrower CRM helper surface and any intended workflow restrictions. In an agent-skill context, this effectively turns the tool into a generic privileged API proxy, enabling unexpected reads or state-changing operations anywhere the token is authorized.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The domain validation is implemented incorrectly: it parses the hostname but compares it against the full URL string "https://oa.teredy.com/api", so the default legitimate domain will fail validation. This breaks the intended safety control and may pressure operators to set NAVI_OFFICE_ALLOW_CUSTOM_DOMAIN=true, which weakens protections and can expose the token to non-official hosts.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The help text and interface present the tool primarily as a CRM CLI, but it also exposes a generic `raw` command that can invoke arbitrary NaviOffice API paths. This creates a scope mismatch that can mislead downstream agents or users into granting trust appropriate for read-only CRM operations while actually enabling broader administrative or business actions across the OA platform.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
`raw_api` allows callers to send arbitrary HTTP methods and paths, including full URLs when `path` starts with `http`, while automatically attaching the `X-Api-Token`. This effectively turns the script into a generic authenticated request proxy, enabling unintended access to non-CRM functions and possible token exfiltration to attacker-controlled hosts if custom URLs are supplied.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill documents a write-capable CRM customer creation tool that accepts sensitive personal and financial fields such as phone, mobile, email, address, tax number, bank name, bank account, and credit terms, but provides no warning that use of the tool will create or modify records containing regulated or confidential data. In an agent setting, this increases the risk of unintended collection, over-sharing, or persistence of PII and financial information because the model is guided toward direct data entry without privacy, authorization, or confirmation safeguards.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill describes crm_createOpportunity as a straightforward creation action but does not warn that it writes business records into the CRM system and may alter pipelines, revenue forecasts, and downstream sales processes. In an autonomous or semi-autonomous agent workflow, lack of an explicit write warning and confirmation step can lead to accidental or unauthorized creation of business-critical records.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill documents create and update operations for persisted HR records, including fields like identity number, bank card number, employment status, and department assignment, but provides no explicit confirmation, authorization, or safety guidance before destructive or sensitive changes. In an agent setting, this increases the risk of accidental or unauthorized modification of personnel data, especially because the documentation encourages direct use of the mutation tools once an employee ID is known.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill exposes access patterns for highly sensitive HR and payroll data, including employee personal details, identity numbers, bank information, birthday/contract/probation status, and salary queries, without any privacy warning, minimization guidance, or handling restrictions. In an MCP/agent context, such documentation can facilitate over-collection or inappropriate disclosure of regulated personal and compensation data if an agent queries broadly or presents data to the wrong user.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This documentation exposes state-changing inventory operations such as material creation, inbound, and outbound transactions without any safety guidance, confirmation requirements, or warning that these actions modify business records and stock balances. In an agent skill context, that omission increases the chance of accidental or unauthorized execution of destructive business actions, especially because the same file mixes read and write operations with equal prominence.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation exposes business-record creation functionality for sales orders without any warning that invoking the tool will modify persistent enterprise data. In an agent skill context, omission of mutation warnings increases the risk of unintended order creation, especially if an agent treats the operation as routine data retrieval or proceeds without explicit user confirmation.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This section documents contract creation, including file metadata fields, but does not warn that it creates legal/business records or that file-related fields may reference sensitive contract data. In enterprise workflows, silent exposure of record-creation behavior can cause accidental contract issuance, incorrect attachments, or mishandling of confidential document metadata.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Generating receivable plans affects financial schedule data and can materially influence downstream accounting or collections workflows, yet the documentation provides no caution about this side effect. In a finance-adjacent module, lack of mutation warnings makes accidental execution more dangerous because an agent could create payment schedules that users mistake for approved accounting data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal