ClawHub

GhostShield

Security checks across malware telemetry and agentic risk

Overview

GhostShield is a local repository obfuscation tool with disclosed, user-triggered file rewriting and watermark features, but users should run it only on copies and review the output.

Install only if you intentionally want a local tool that rewrites repository copies to obscure style. Use a disposable clone or separate output directory, avoid Level 3 and watermarking unless you need invisible markers, review diffs, and run tests before publishing or relying on the transformed code.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (17)

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill advertises and documents file read, file write, and shell-style CLI operations, but does not declare corresponding permissions. This creates a transparency and consent problem: users and hosting platforms cannot accurately assess what resources the skill may access or modify before execution.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The documented purpose is style protection, but the described behavior also includes extracting Git author identity data, scanning .git/config, analyzing commit-message style, and rewriting Git history metadata. Those behaviors materially expand the privacy and integrity impact of the skill beyond the headline description, which can mislead users into exposing repository metadata or permitting destructive history changes they did not expect.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The skill advertises code-style anti-distillation protection but also rewrites general documentation content, expanding its data-modification scope beyond what users may reasonably expect. That can silently alter non-code artifacts, including sensitive docs, policies, or prompts, causing integrity loss and unintended disclosure or corruption of information.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
Git history anonymization and commit-history manipulation go well beyond simple code-style shielding and can materially alter repository provenance. In a security context, rewriting authorship and timestamps can impede audits, forensics, accountability, and compliance, especially if users do not fully understand the consequences.

Context-Inappropriate Capability

High
Confidence
91% confidence
Finding
Spawning Git to inspect repository history introduces an unnecessary capability relative to the stated purpose of code-style obfuscation. Even without shell injection, this broadens access to repository metadata and can surprise users by processing authorship information not needed for basic file obfuscation.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Injecting style from external reference projects is not a narrowly defensive obfuscation action; it imports outside stylistic signals into target code and may contaminate outputs in unexpected ways. This can create provenance, licensing, confidentiality, and integrity concerns if the reference style is derived from third-party or sensitive projects.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill harvests contributor names and email addresses from Git history, which goes beyond the stated purpose of code-style obfuscation. This creates an unjustified data-collection path for personal information and increases privacy risk, especially when users may not expect repository identity mining from this skill.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
Scanning .git/config for personal names and email addresses expands collection of user identity data outside the skill's declared obfuscation scope. Because Git config often contains real personal identifiers, this behavior can expose or process private data without clear necessity or disclosure.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Invoking git log through a subprocess gives the skill access to contributor history that is unrelated to code-style protection. In this context, the capability is dangerous because it enables hidden metadata collection from local repositories, which is more invasive than the manifest suggests.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill is marketed as a protective obfuscation tool, but this file instead extracts detailed code, documentation, and commit-style fingerprints and computes similarity metrics. In a security-sensitive context, this is dangerous because it enables profiling and attribution of a user's writing and coding habits while presenting itself as defensive functionality.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Mining Git commit history expands collection beyond source formatting into behavioral metadata about developers, including conventions, keywords, and communication patterns. For a tool advertised as style protection, this broader profiling capability is not clearly necessary and increases privacy and insider-attribution risk.

Missing User Warnings

High
Confidence
95% confidence
Finding
The Level 3 feature set explicitly advertises injecting fake traits, contradictory decisions, and noise into code or documents without warning users that these transformations can degrade correctness, reliability, or auditability. In the context of a repository-processing skill, this is dangerous because users may apply it to production code or compliance-sensitive artifacts and unintentionally introduce misleading logic or operational defects.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill promotes repository-wide transformation and hidden watermark insertion without a clear warning that source files and exported artifacts may be modified. This is dangerous because invisible or hard-to-review changes can alter code integrity, introduce supply-chain risk, or embed tracking markers into outputs that are later redistributed.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code copies and then overwrites file and repository contents without any interactive warning, confirmation, or dry-run safeguard. For a tool that recursively processes paths and later mutates files, this creates a meaningful integrity risk: users may unintentionally alter important code or documentation at scale.

Missing User Warnings

High
Confidence
97% confidence
Finding
Invisible watermark injection deliberately modifies files with zero-width characters and hidden markers, which is especially risky because the changes are hard for users and downstream tooling to detect. Hidden modifications can break reproducibility, interfere with parsing or review, and create covert tagging behavior inconsistent with transparent defensive tooling.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Collecting names and email addresses from Git history without a user-facing warning is a privacy and transparency problem. Even if the data remains local, undisclosed identity harvesting violates least surprise and can facilitate profiling or unintended disclosure if later logged, exported, or transmitted.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code silently collects up to 500 commit subjects from the local repository without any user-facing disclosure at the point of collection. Commit messages often contain internal issue references, feature names, or operational details, so undisclosed harvesting can expose sensitive project metadata and erode trust.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal