ClawHub

Repo Onboarding Guide

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a repository onboarding helper, but its bundled script can also perform broader audits and sensitive pattern scanning that are not clearly scoped to onboarding.

Review this skill before installing. Use it only on repositories you are comfortable having scanned locally, avoid running it on sensitive private repos unless outputs are controlled, and prefer explicit dry-run or narrowly scoped input paths. Check whether the publisher documents file access, shell execution, output locations, and redaction behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill declares no permissions, yet its content explicitly allows reading local resources, writing output files, and invoking a local Python script via shell/exec. This creates a capability/permission mismatch that can mislead users or policy engines, weakening review controls and enabling broader filesystem or command execution than the metadata suggests.

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The declared purpose is a repository onboarding guide, but the behavior described by analysis indicates broader auditing, content scanning, mode switching via external spec.json, and writing arbitrary output files. This mismatch is dangerous because it obscures the real attack surface and can be used to justify access to sensitive repository contents under the guise of benign onboarding assistance.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The document says not to execute build commands, but then explicitly permits running a local Python script through shell/exec. Even if framed as non-build behavior, this still authorizes code execution from the local skill bundle, which increases risk of unexpected actions, data access, or policy bypass in an otherwise documentation-focused skill.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Shell/exec capability is not justified by the stated purpose of generating onboarding guidance from repository structure and docs. Unnecessary command execution materially expands the attack surface, especially in a skill that otherwise claims to be read-only and non-invasive.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The script implements multiple operational modes beyond the declared onboarding purpose, including CSV auditing, regex-based pattern scanning, and skill package conformance checks. This scope expansion increases the chance the skill is used to inspect sensitive repository contents or repurposed for general scanning tasks, which violates least functionality and makes misuse easier in environments with private code or data.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The built-in regex scanner searches repository content for secrets, private URLs, and dangerous command patterns even though the skill is described as an onboarding guide. In this context, that functionality enables broad inspection of potentially sensitive files and can surface secret-like material in outputs, making the skill more dangerous because it is likely to be run over private repositories under a less suspicious onboarding label.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger phrases are broad, natural-language requests like '扫描这个仓库生成 onboarding guide' and '帮新人找到先看哪些目录', which can overlap with ordinary repository-analysis requests and cause the skill to activate unexpectedly. In an agent environment, overly generic routing can misapply the skill to unrelated prompts, increasing the chance of inappropriate file scanning or unintended handling of repository content.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal