ClawHub

FairygitMother

Security checks across malware telemetry and agentic risk

Overview

This is a real FairygitMother integration, but it schedules recurring, remote-directed GitHub work while storing local service credentials and forwarding repository issue data to a third party.

Install only if you intend to run a scheduled FairygitMother node and accept sharing relevant GitHub repository and issue data with fairygitmother.ai. Use a dedicated least-privilege GitHub token or account, restrict use to intended public repositories, avoid applying the workflow label to sensitive issues, and remove credentials.json and patrol-state.json when stopping the skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill contains repeated shell command instructions (`curl`) but does not declare corresponding permissions. That creates a capability/permission mismatch that can bypass user expectations and policy controls, especially since the skill is designed to contact external services on a schedule. In this context, undeclared shell/network behavior is materially risky rather than a harmless documentation issue.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The manifest declares only `GITHUB_TOKEN`, but the instructions cause the agent to obtain, store, and use a separate FairygitMother API credential in `credentials.json`. This introduces an undeclared secret lifecycle and expands trust to a third-party service without clear consent or manifest disclosure. That is dangerous because operators may provision the skill assuming only GitHub-scoped access is involved.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill description does not clearly warn users that repository content, issue metadata, diffs, and credential-linked node activity are sent to external services. Because the skill is scheduled and server-directed, this missing disclosure increases the chance of silent data transfer outside the user's expected boundary. In this context, weak transparency materially raises privacy and governance risk.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The skill creates and maintains persistent local files (`credentials.json`, `patrol-state.json`) but does not prominently disclose that behavior in its user-facing description. Hidden persistence changes the risk profile by leaving behind credentials, history, and telemetry across activations. While not inherently malicious, undisclosed durable storage is a legitimate security and privacy concern.

Missing User Warnings

High
Confidence
95% confidence
Finding
The workflow posts user-supplied issue title, full issue body, labels, repository identity, and language metadata to a third-party service. In many repositories, issue text can contain sensitive details, unreleased vulnerability reports, internal links, logs, tokens pasted by mistake, or private operational context, and the workflow provides no runtime consent gate or explicit warning at execution time before exfiltrating that data externally.

Ssd 3

Medium
Confidence
93% confidence
Finding
This workflow forwards full plain-language issue content and metadata to an external AI service as part of an automated bounty submission flow. Because issue content is untrusted and often free-form, this creates a data disclosure pathway and can expose sensitive business context or security-relevant details to an external processor, especially in the context of an agent skill explicitly designed to relay issue information off-platform.

External Transmission

Medium
Category
Data Exfiltration
Content
If `{baseDir}/credentials.json` doesn't exist:

```bash
curl -s -X POST "https://fairygitmother.ai/api/v1/nodes/register" \
  -H "Content-Type: application/json" \
  -d '{"displayName":"openclaw-node","capabilities":{"languages":[],"tools":["openclaw"]},"solverBackend":"openclaw"}'
```
Confidence
94% confidence
Finding
curl -s -X POST "https://fairygitmother.ai/api/v1/nodes/register" \ -H "Content-Type: application/json" \ -d '{"displayName":"openclaw-node","capabilities":{"languages":[],"tools":["openclaw"]},"s

Credential Access

High
Category
Privilege Escalation
Content
Every activation, start by loading your patrol state:

1. Read `{baseDir}/credentials.json` — your nodeId and apiKey
2. Read `{baseDir}/patrol-state.json` — your patrol history

If `credentials.json` doesn't exist, register first (see Credentials below).
Confidence
95% confidence
Finding
credentials.json

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal