ClawHub

Bean Whisperer

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly aligned with espresso profile generation, but it deserves review because it can use Discord credentials and directly change or delete profiles on a connected machine.

Install only if you are comfortable with an agent managing profiles on your GaggiMate machine and accessing Discord for community profiles. Use the narrowest Discord credential possible, avoid storing a personal token in plaintext, review any downloaded or generated JSON before upload, and explicitly confirm push, select, favorite, or delete actions because they change persistent machine settings.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (12)

Tainted flow: 'outpath' from os.environ.get (line 225, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
profile = await download_attachment(a["url"])
        if profile:
            outpath = PROFILES_DIR / a["filename"]
            with open(outpath, "w") as f:
                json.dump(profile, f, indent=2)
            print(f"  ✅ {a['filename']}: {summarize_profile(profile)}")
            print(f"     → {outpath}")
Confidence
92% confidence
Finding
with open(outpath, "w") as f:

Tainted flow: 'outpath' from os.environ.get (line 251, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
outpath = PROFILES_DIR / fname
                    if outpath.exists():
                        outpath = PROFILES_DIR / f"{outpath.stem}_{t['id'][:8]}{outpath.suffix}"
                    with open(outpath, "w") as f:
                        json.dump(profile, f, indent=2)
                    label = profile.get("label", "unnamed")
                    print(f'  ✅ {fname}: "{label}"')
Confidence
92% confidence
Finding
with open(outpath, "w") as f:

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill declares no permissions even though its documented workflow uses environment variables, reads and writes local files, and performs network operations against both a local WebSocket endpoint and Discord. This creates a transparency and consent problem: users and any permission-gating system cannot accurately assess what the skill will access before it runs.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The advertised purpose is espresso profile generation and machine management, but the documented behavior also includes authenticating to Discord, enumerating community content, downloading attachments in bulk, and reading credentials from local configuration. That mismatch can lead users to authorize a seemingly local coffee tool that actually accesses third-party services and local secrets, increasing the risk of unexpected data access and supply-chain style ingestion of untrusted JSON.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The script pulls a Discord user token from the environment or a local file and uses it to access external community data. Handling a user token directly is sensitive because it grants account-level access; in the context of a coffee-profile management skill, this is an unexpected credential use that expands the attack surface and can expose private or account-scoped data if misused or leaked.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The README explicitly promotes pushing generated profiles to a physical machine over WebSocket as part of a single conversational flow, but it does not warn users that this changes device state or may alter active machine behavior. In a skill that controls espresso hardware, missing confirmation and safety language increases the risk of unintended profile deployment or destructive actions being normalized as routine chat commands.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The conversational examples normalize commands like "Push it to my machine" and automatic re-push after taste feedback without any mention of confirmation, preview, or rollback. Because this skill is specifically designed to manage profiles on brewing hardware, the omission makes unsafe state-changing behavior more likely in real use, especially when users may not realize a chat utterance causes immediate device modification.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Documenting a delete command for machine profiles without warning that it permanently removes configuration from the connected device encourages destructive operations without adequate user awareness. In this skill's context, profile management is a core feature tied to a real machine, so the lack of cautionary language materially raises the chance of accidental deletion or unintended remote state changes.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases are broad and overlap with ordinary coffee discussion, so the skill could activate when the user is merely chatting about taste or dialing in a shot. Because this skill can later push, modify, or delete machine profiles, accidental invocation raises the chance of unintended state changes or network access.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill includes commands to delete profiles and push/select profiles on the machine, but it does not require an explicit warning or confirmation before changing machine state. In this context, accidental or misunderstood execution can alter the active brew configuration or remove saved profiles, affecting device behavior and user data.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The Discord integration instructs use of a bot token and network searches/downloads without a clear privacy and credential-handling warning. This matters because the skill reads sensitive credentials, contacts an external service, and stores downloaded content locally, which users may not expect from a coffee-profile assistant.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The script encourages use of a Discord user token from an environment variable or plaintext file without prominent warning or stronger safeguards. In practice, user tokens are highly sensitive secrets, and normalizing their use in an automation script increases the chance of accidental disclosure, misuse, or unsafe operational practices.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal