agent3-hub Security Report — Low Risk | ClawSafe

15 /100

agent3-hub

Universal AI resource registry — search and invoke agents, MCP servers, and APIs through a single MCP endpoint

Pure documentation skill providing MCP registry access to external hub.agent3.me endpoint. No executable code, scripts, or hidden functionality. All network behavior is declared.

Skill Nameagent3-hub

Duration30.7s

Enginepi

✓

Safe to install

Acceptable for use. Verify trust in hub.agent3.me as an external dependency before production deployment.

Findings 2 items

Severity	Finding	Location
Low	External Service Dependency Doc Mismatch Skill delegates all tool execution to external hub.agent3.me MCP endpoint. Users must trust this external service with their API key and queries. `Endpoint: https://hub.agent3.me/api/mcp` → Review hub.agent3.me privacy policy and terms of service before using. Consider the risk of delegating data to an external party.	`SKILL.md:18`
Low	Arbitrary Agent Invocation Capability Sensitive Access The agents_invoke and resources_invoke tools allow invocation of any registered agent or resource in the hub. This is a trust delegation chain with unknown third parties. `agents_invoke \| Invoke an A2A agent directly \| Required` → Understand that invoking agents through this hub means your queries and data may be processed by arbitrary third-party agents.	`SKILL.md:47`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`NONE`	—	No filesystem access declared or implied
Network	`READ`	`READ`	✓ Aligned	MCP endpoint hub.agent3.me/api/mcp documented
Shell	`NONE`	`NONE`	—	No shell execution in skill
Environment	`READ`	`READ`	✓ Aligned	AGENT3_API_KEY declared as required env var
Skill Invoke	`READ`	`READ`	✓ Aligned	MCP client invokes external agents/services
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	No browser automation
Database	`NONE`	`NONE`	—	No database access

4 findings

🔗

Medium External URL 外部 URL

https://hub.agent3.me/api/mcp

SKILL.md:17

🔗

Medium External URL 外部 URL

https://hub.agent3.me/auth/signup

SKILL.md:19

🔗

Medium External URL 外部 URL

https://hub.agent3.me

SKILL.md:171

🔗

Medium External URL 外部 URL

https://hub.agent3.me/docs

SKILL.md:172

File Tree

1 files · 4.4 KB · 174 lines

Markdown 1f · 174L

└─ 📝 SKILL.md Markdown 174L · 4.4 KB

Security Positives

✓ No executable code present - pure documentation/metadata skill

✓ All network behavior explicitly declared

✓ Uses standard MCP protocol (2025-03-26)

✓ No obfuscation or base64-encoded content

✓ API key requirement declared transparently

✓ No sensitive path access (~/.ssh, ~/.aws, etc.)

✓ No credential harvesting beyond declared AGENT3_API_KEY

✓ No shell execution, subprocess, or RCE vectors

✓ No supply chain risks (no dependencies in this skill)

Scan Report

Findings 2 items

File Tree

Security Positives