ClawHub

Oneshot Ship

Security checks across malware telemetry and agentic risk

Overview

This is a powerful but clearly described automation skill for coding, reviewing, pushing branches, and opening PRs.

Install only if you want an automated coding agent with authority to modify a selected repository, push branches, and open or update PRs. Prefer dry-run or local mode first, use least-privilege GitHub and provider credentials, and only use SSH mode with hosts you trust because run configuration and Linear credentials may be sent there.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The top-level description is broad enough to match generic requests to 'ship code changes' or 'run a coding pipeline,' which can cause the skill to activate in situations where the user did not explicitly consent to an automated code-modifying and PR-opening workflow. In this skill's context, accidental invocation is meaningful because the tool can read repositories, execute an agentic workflow, and push changes locally or over SSH.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The 'When to use this skill' section includes ambiguous delegation language like wanting to 'ship a code change' or 'automate' a workflow, which could be interpreted too broadly by an orchestrating agent. Because this skill can modify codebases and open PRs, overbroad triggers increase the chance of unauthorized or surprising automation.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explains that oneshot runs over SSH or locally and routes work to external providers, but it does not prominently warn users that repository contents, instructions, and related metadata may be transmitted to remote servers and third-party model providers. In this context, that omission is dangerous because the pipeline explicitly reads code, local instruction files, policy packs, and can operate on remote infrastructure.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The documentation states that the active oneshot config is streamed to the server for each SSH run, including provider defaults, timeout settings, and configured Linear credentials, but it does not pair this with a clear warning about credential and configuration exposure. That is risky because secrets or sensitive operational metadata may be copied to a remote host outside the user's normal trust boundary.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal