resend-skills

clawhub:resend-skills

View source

20/100

First Seen

Feb 18, 2026

Last Scanned

Feb 22, 2026

Findings

Score

20/100

CRITICAL 2

HIGH 2

LOW 7

Findings (11)

CRITICAL

Jailbreak template PROMPT_INJECTION_011

prompt-injection L216

Detects common jailbreak prompt patterns

circumvent safety

FIX

Remove directives that attempt to exfiltrate data through the agent's response (e.g., asking the agent to embed credentials in URLs or include secret values in output).

FP?

Likely FP if the text is a legitimate tool instruction about displaying configuration to the user (e.g., show current settings) without external transmission.

CRITICAL

Jailbreak template PROMPT_INJECTION_011

prompt-injection L292

Detects common jailbreak prompt patterns

evade filter

FIX

Remove directives that attempt to exfiltrate data through the agent's response (e.g., asking the agent to embed credentials in URLs or include secret values in output).

FP?

Likely FP if the text is a legitimate tool instruction about displaying configuration to the user (e.g., show current settings) without external transmission.

HIGH

Private data read with public output TOXIC_001

toxic-flow L690

Skill can read private data (credentials, SSH keys, env vars) AND write to public channels (Slack, Discord, email). This combination enables data exfiltration.

[reads_private_data] read `signing_secret + [writes_public_output] send Webhook API to create the webhook

FIX

Break the toxic data flow by adding validation and sanitization between the input source and the sensitive operation. Do not pass untrusted data directly to file system, network, or execution APIs.

FP?

Likely FP if the data flow involves only trusted, hardcoded values and the taint analysis over-approximated the untrusted input sources.

HIGH

Read sensitive files and transmit externally EXFIL_013

exfiltration L690

Detects skills that both read sensitive credential files and send data to external services

read `signing_secret + send Webhook API to register your endpoint

FIX

Block access to git credentials, SSH keys, and repository tokens. If git operations are needed, use scoped deploy keys and restrict the tool to specific repositories.

FP?

Likely FP if the match is documentation about git configuration (e.g., setting up git credentials helper) rather than code that reads and transmits them.

LOW

Runtime URL controlling behavior THIRDPARTY_001

third-party-content L6

Detects URLs fetched at runtime that control or influence agent behavior without pinning

Get yours at https:// + setting

FIX

Avoid loading configuration or behavior-controlling content from runtime URLs. Bundle required configurations locally or pin remote config to versioned, integrity-verified endpoints.

FP?

Likely FP if the URL in the match is a documentation link or example URL (e.g., example.com) rather than an actual runtime-fetched configuration endpoint.

LOW

MCP code execution tool CMDEXEC_010

command-execution L300

Detects MCP tools that execute arbitrary code

ExecuteCode

FIX

Restrict code execution tools to specific languages and sandbox the runtime environment. Use a container or VM-based sandbox instead of running code directly on the host.

FP?

Likely FP if the MCP tool is a dedicated code runner (e.g., Jupyter kernel) with documented sandboxing and no network access.

LOW

MCP code execution tool CMDEXEC_010

command-execution L308

Detects MCP tools that execute arbitrary code

ExecuteCode

FIX

Restrict code execution tools to specific languages and sandbox the runtime environment. Use a container or VM-based sandbox instead of running code directly on the host.

FP?

Likely FP if the MCP tool is a dedicated code runner (e.g., Jupyter kernel) with documented sandboxing and no network access.

LOW

MCP code execution tool CMDEXEC_010

command-execution L316

Detects MCP tools that execute arbitrary code

ExecuteCode

FIX

Restrict code execution tools to specific languages and sandbox the runtime environment. Use a container or VM-based sandbox instead of running code directly on the host.

FP?

Likely FP if the MCP tool is a dedicated code runner (e.g., Jupyter kernel) with documented sandboxing and no network access.

LOW

External API response used without validation THIRDPARTY_004

third-party-content L523

Detects patterns where external API responses are used directly without validation or sanitization

Webhook payload only includes metadata + immediately
    await agent.process

FIX

Validate and sanitize all data received from external APIs before using it in tool operations or agent prompts. Implement schema validation and treat API responses as untrusted input.

FP?

Likely FP if the match is a truncated table cell or documentation fragment that mentions API responses in a descriptive context, not actual unvalidated data processing.

LOW

System package manager install EXTDL_011

external-download L753

Detects system-level package installation via brew, apt, yum, or dnf

brew install n

FIX

Pin system packages to specific versions where the package manager supports it. Document the exact packages required and prefer containerized environments to avoid system-wide changes.

FP?

Likely FP if the match is standard setup documentation listing well-known system packages (e.g., apt install git curl) that are prerequisites.

LOW

System package manager install EXTDL_011

external-download L779

Detects system-level package installation via brew, apt, yum, or dnf

brew install c

FIX

Pin system packages to specific versions where the package manager supports it. Document the exact packages required and prefer containerized environments to avoid system-wide changes.

FP?

Likely FP if the match is standard setup documentation listing well-known system packages (e.g., apt install git curl) that are prerequisites.