ClawHub

Drivethru Sanmar

Security checks across malware telemetry and agentic risk

Overview

This SanMar ordering skill is mostly purpose-aligned, but it can expose real SanMar credentials in tool output and gives agents broad business-write capabilities.

Review before installing in any production account. Use least-privilege SanMar credentials, prefer platform secret storage over inline JSON or chat, avoid logging tool outputs, and do not use purchase-order submit/dry-run results where raw payloads could be retained unless credentials are redacted first.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (12)

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The notes show the skill uses a separate SanMar customer portal with browser automation and portal-only credentials, which materially expands capability beyond the manifest’s declared SOAP/PromoStandards API surface. This creates a scope-disclosure mismatch: operators may authorize or trust an API-only tool while it actually drives a live authenticated web portal with different controls, side effects, and risk assumptions.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
This documents a real write-side return-submission workflow that can create actual RMAs in production, yet that capability is not clearly represented in the skill description. Hidden transactional functionality is dangerous because users and orchestrators may invoke what appears to be an informational sourcing tool but instead trigger irreversible business operations.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
A skill presented as a deterministic API toolkit is actually backed here by Playwright-style browser automation against a live portal, using interactive selectors and portal credentials. That discrepancy matters because browser automation is less predictable, more privilege-sensitive, and more vulnerable to UI drift or unintended actions than a constrained typed API integration.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
This file adds browser automation for customer-portal return processing, including reverse-engineered flows and authenticated form submission behavior, which materially expands the skill beyond a deterministic API-wrapper into a UI-driving agent. That capability increases risk because it can perform account actions not covered by the stated API-toolkit scope, making security review, user-consent boundaries, and least-privilege assumptions easier to bypass or miscommunicate.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The module explicitly relies on reverse-engineered Playwright automation of the SanMar portal for operations unavailable in the sanctioned API surface. Even though the final submission is currently stubbed, the code logs in, navigates authenticated pages, resolves orders, and fills return forms, creating an undeclared high-trust interaction path that could later be extended to submit transactions without the stronger assurances normally provided by typed API integrations.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill’s declared purpose is a deterministic SOAP/PromoStandards API toolkit, but this file also exposes browser-driven portal return processing using a separate credential set. That materially expands the trust boundary and capability surface beyond the stated scope, enabling actions through a web UI that may bypass the review and safety assumptions applied to the API-only tooling.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
This code accepts separate portal credentials and invokes browser automation for return processing, which is a different and riskier access path than the advertised SanMar API wrappers. Because portal automation can perform privileged account actions in a less structured environment than typed API calls, an agent may gain undeclared capabilities and interact with sensitive account data or workflows without appropriate policy gating.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation explicitly permits supplying SanMar credentials inline via stdin JSON but does not warn about secret-handling risks such as shell history capture, CI/job log exposure, process inspection, or accidental transcript retention by higher-level agents. In this skill context, the danger is elevated because the toolkit handles real production ordering and pricing operations, so exposed credentials could enable unauthorized reads or purchase-order submissions against a customer account.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The examples explicitly instruct passing SanMar credentials inline in JSON on the command line, which risks exposing secrets through shell history, process listings, terminal logs, CI logs, and agent/tool telemetry. Because this skill handles purchasing and pricing operations, leaked credentials could enable unauthorized inventory queries, pricing access, and live PO submission.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The module downloads SanMar product/inventory mapping data and writes it to a predictable on-disk cache location under /tmp without any permission hardening, encryption, or disclosure to the caller. While this is not secret material on the level of credentials, it is still business data and may be readable by other local users or processes on a shared host, and /tmp persistence can outlive the immediate task context.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The return-processing tool can save screenshots of a filled portal session via `screenshot_path`, but the only disclosure is in a docstring rather than an enforced user-visible consent mechanism. Screenshots may capture customer account data, order history, addresses, prices, return reasons, or other sensitive business information and write it to local storage without clear approval or retention controls.

Ssd 3

Medium
Confidence
91% confidence
Finding
The skill tells the agent to ask users for credentials and then place them directly into tool inputs or environment variables, normalizing insecure secret handling inside conversational and execution contexts. In an agent setting, these values may be retained in chat transcripts, traces, debugging output, or reused across sessions, increasing the chance of credential disclosure and misuse.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal