ClawHub
Back to skill

Security audit

ziniao-erp-api-doc

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only ERP API reference; it describes powerful admin operations but does not install code or run anything itself.

Safe to install as documentation. Before using it to build real integrations, protect API keys and passwords, request only needed ERP permissions, and require explicit human review before deleting accounts, clearing authorizations or caches, changing roles/staff/access policies, or purchasing/renewing devices.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The document exposes a bulk destructive operation that clears all authorization relationships for specified accounts without documenting any warning, confirmation requirement, or operational safeguard. In an integration/planning context, this increases the risk that developers automate or invoke the endpoint without understanding its blast radius, potentially causing widespread accidental access revocation and service disruption.

Missing User Warnings

Medium
Confidence
72% confidence
Finding
The documentation exposes handling of sensitive credentials (`password`) and a `defyWarning` risk-bypass flag with default bypass behavior, but gives no security guidance on safe usage, least-privilege access, or the consequences of suppressing risk checks. In an integration-focused skill, this can normalize insecure implementations by encouraging consumers to transmit passwords directly and disable safety controls without understanding the risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.