ClawHub

Azure Devops MCP Replacement For OpenClaw

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Azure DevOps helper, but it can change live work items and wiki pages using a PAT, so users should review its scope before installing.

Install only if you intend to let OpenClaw access your Azure DevOps organization. Prefer a read-only or least-privilege PAT unless you specifically need write actions, avoid storing PATs in shared or committed config files, treat team-config.json as sensitive, and manually review every create/update/wiki write request before allowing it to run.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Tp4

High
Category
MCP Tool Poisoning
Confidence
84% confidence
Finding
The skill description understates behavior by omitting local `team-config.json` processing, people-tracking features, and write-capable operations such as work item creation/update and wiki write capability. This mismatch can cause users or orchestrators to invoke the skill with read-only expectations while it handles additional personal data and supports state-changing actions, increasing the risk of unintended disclosure or modification.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The documentation frames the skill as mostly query-oriented, but it also advertises mutation commands like creating and updating work items and wiki write access. That discrepancy is dangerous because operators may grant or invoke the skill assuming low-risk read behavior, while the skill can alter Azure DevOps state if a PAT has sufficient scope.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The README explicitly advertises create, update, and write operations against Azure DevOps resources but does not warn users that these commands can change live organizational data. In an agent skill context, that omission increases the risk of accidental destructive or unauthorized changes because users may assume the skill is primarily read-only unless warned otherwise.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README tells users to configure a Personal Access Token in environment variables and in a local JSON config without warning that the PAT is a sensitive credential that grants API access to Azure DevOps. This can lead to insecure storage, accidental commits, shell history leakage, or broad token exposure, especially because the requested scopes include multiple write-capable permissions.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The skill requests a personal access token and later instructs users to maintain team-member emails for standup/capacity tracking, but it lacks a clear, prominent privacy warning about handling credentials and employee-identifying data. This can lead to unnecessary collection, oversharing, or storage of sensitive organizational data without informed user consent or minimization.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script exposes direct state-changing Azure DevOps operations (`create` and `update`) with no built-in confirmation, dry-run mode, or guardrails around sensitive fields. In an agentic context, this increases the chance of unintended modifications from ambiguous prompts, prompt injection, or operator error, causing unauthorized or accidental changes to work items at scale.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal