ClawHub

erxes-next-plugin

Security checks across malware telemetry and agentic risk

Overview

This erxes plugin appears purpose-built rather than malicious, but it gives agents broad authenticated power over business records while assuming owner-level access too readily.

Install only if you intentionally want an agent to use a confidential erxes OAuth client with broad access to business records. Use a least-privilege OAuth client where possible, avoid pasting real secrets into shell-history-producing commands, start with read-only tests, and require explicit human confirmation for every create, update, delete, publish, transfer, convert, membership, and template change.

Publisher note

This plugin needs native host access only to run bundled shell helpers for erxes OAuth device login and token refresh. It sends requests to the configured ERXES_BASE_URL, uses ERXES_CLIENT_ID and ERXES_CLIENT_SECRET for confidential OAuth, and does not persist access tokens, refresh tokens, auth headers, API keys, or .env values to project files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs the agent to treat backend permissions as a non-blocker in 'owner' mode, which normalizes attempting privileged operations without verifying that the current session is actually authorized. In a skill that exposes destructive actions such as delete, remove-member, end-cycle, and status deletion, this can lead to unauthorized state-changing requests being issued under an over-privileged or mis-scoped session.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The document downplays missing permission checks for template operations and tells the agent to continue assuming owner-mode access unless the API rejects the call. When documentation acknowledges absent backend permission enforcement, treating that as harmless increases the chance the agent will invoke unguarded create, edit, or delete template actions that should require explicit authorization.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The invocation scope is broad enough to trigger on many ordinary business requests, increasing the chance the skill is selected in contexts the user did not specifically intend. Because the skill includes write, delete, publish, transfer, and conversion workflows, overbroad activation can route sensitive business actions through a high-impact capability set unexpectedly.

Natural-Language Policy Violations

Medium
Confidence
98% confidence
Finding
Defaulting to owner-mode operation grants the skill the highest business privilege without user opt-in or justification, which materially raises the blast radius of any mistaken invocation or prompt manipulation. In this context, the skill exposes administrative GraphQL operations for publishing, deleting, transferring, and converting records, so implicit owner authority can lead to unauthorized or unintended state changes across SaaS business data.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explicitly instructs operators to place a confidential OAuth client secret on the shell command line. On many systems, command-line arguments and inline environment assignments may be exposed through shell history, process listings, audit logs, CI logs, or terminal recordings, which can leak long-lived credentials to other local users or logging systems. The surrounding context increases risk because the document frames the secret as routine operational input and provides copy-paste examples without any handling warnings.

Missing User Warnings

High
Confidence
97% confidence
Finding
The example shows a plaintext password embedded directly in request variables for inviting a user. Publishing credential material in examples normalizes unsafe secret handling, increases the chance that integrators hardcode or log passwords, and can expose temporary credentials through source control, telemetry, or chat transcripts.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The keyword list is broad enough to match generic terms like "contacts," "companies," "products," "graphql," and "oauth," which can cause the plugin to activate in unrelated conversations. Because this plugin is wired to confidential OAuth and operational data access, unintended activation increases the chance of overexposure of sensitive capabilities or accidental use against the wrong user intent.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Several intents such as "read erxes data," "create erxes record," "update erxes record," and "delete erxes record" are high-privilege but defined at a very broad level, without boundaries or disambiguation criteria. In the context of a confidential OAuth plugin that can operate on production GraphQL data, this makes misrouting and accidental invocation more dangerous because destructive or sensitive actions may be selected for ambiguous user requests.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The manifest includes broad keywords such as "contacts," "companies," "products," and "graphql," which are generic enough to match many unrelated user requests. In an agent-plugin context, overly broad matching can cause the plugin to be invoked outside the user’s intent, increasing the chance of unintended access to connected erxes data or prompting the model toward unnecessary authenticated actions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The manifest advertises read, create, update, delete, and grouping capabilities but does not present any visible warning that the plugin can modify or delete remote data. In a plugin that uses confidential OAuth and operates over GraphQL, this omission increases the risk that users or the agent trigger destructive operations without clear consent or awareness of the consequences.

VirusTotal

58/58 vendors flagged this plugin as clean.

View on VirusTotal