ClawHub

Review Workflow

Security checks across malware telemetry and agentic risk

Overview

This code-review workflow is not malware, but it automatically gathers and persists repository diffs, including untracked file contents, with broad activation triggers and limited user scoping.

Install only if you are comfortable with the skill reading your current repository diff and untracked non-ignored files into review artifacts. Before running it, make sure secrets, private keys, .env files, drafts, and other sensitive local files are ignored or removed from the working tree, and confirm any suggested git add, commit, push, or force-with-lease command before execution.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script is not only a parser: with --collect it enumerates repository changes and reads contents of untracked files, which can pull sensitive local-only data into downstream review pipelines. In an agent skill context, this is more dangerous because users may expect diff-only behavior while the workflow silently expands scope to files not yet tracked or intentionally excluded from commits.

Context-Inappropriate Capability

Medium
Confidence
81% confidence
Finding
Embedding git execution and repository discovery into a parser broadens capability from passive parsing to active environment inspection. In this workflow skill, that enlarged authority increases the chance of unintended data exposure because the tool can traverse repo state and gather content beyond what a user explicitly pasted or selected.

Vague Triggers

High
Confidence
93% confidence
Finding
The trigger phrases are very broad (`帮我看代码`, `review 一下`, `准备提交`, `提交代码`) and the skill is instructed to activate even when the user only loosely references committing. That can cause unintended invocation of Bash/read-driven workflow steps, including repository inspection and generation of git commands, in ordinary conversation where the user did not intend to run an expansive workflow.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The skill description is triggered by very broad commit-related requests, which can cause it to activate in situations where the user did not explicitly intend a full commit workflow. In this context, that increases the chance the agent will inspect diffs, stage files, and prepare commit actions on a real repository without sufficiently narrow user consent, creating workflow confusion and potential unintended repository changes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code automatically reads untracked file contents and synthesizes diffs for them without a user-facing warning, which can expose secrets, drafts, credentials, or other local data never intended for review or transmission. In an orchestrated review skill, this is especially risky because collected output is likely forwarded to other tools or models, turning local over-collection into a real confidentiality issue.

Ssd 3

Medium
Confidence
95% confidence
Finding
The skill explicitly requires complete prior outputs and user-provided context to be retained and forwarded across all later stages. Because those stages include review reports, patch suggestions, commit messages, and git workflow guidance, sensitive code, issue references, internal identifiers, or secrets discovered in diffs can be unnecessarily replicated and amplified into later outputs.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal