ClawHub
Back to skill

Security audit

Webhook Token Security (Zero‑Exposure Edition)

Security checks across malware telemetry and agentic risk

Overview

This appears to be a notification-webhook skill that handles user-provided tokens for its stated purpose, with credential-handling risks users should understand.

Install only on a trusted machine and treat all webhook, bot, and MGC tokens as secrets. Confirm which platforms you configure, avoid sharing tokens in chat or logs, and revoke any token if you suspect it was exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
86% confidence
Finding
This markdown file describes storing webhook tokens via MCP/CLI and calling MGC sensitive-data APIs with an authentication token read from a local token file, but it does not give an explicit user warning about the privacy and system-impact implications of handling and transmitting secrets. Although it includes best practices, those are framed as implementation guidance rather than a user-facing warning about data handling risks.

External Transmission

Medium
Category
Data Exfiltration
Content
| DingTalk | access_token + secret | JSON | https://oapi.dingtalk.com/robot/send |
| WeCom | webhook key | Plain text | https://qyapi.weixin.qq.com/cgi-bin/webhook/send |
| Feishu | webhook_url | Plain text | Custom webhook URL |
| Telegram | bot_token | Plain text | https://api.telegram.org/bot{token}/sendMessage |
| Slack | webhook_url / bot_token | JSON | Incoming Webhook or Web API |

---
Confidence
50% confidence
Finding
https://api.telegram.org/

Session Persistence

Medium
Category
Rogue Agent
Content
## Step 1: Prepare Token File

Create a JSON file containing your webhook token details (see Platform-Specific Storage above).

## Step 2: Store in MGC
Confidence
60% confidence
Finding
Create a JSON file containing your webhook token details (see Platform-Specific Storage above). ## Step 2: Store in MGC > **Important:** Use **MCP tools** for AI agents. CLI may have port conflicts

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal