ClawHub

Claude Skills Adversarial Reviewer

Security checks across malware telemetry and agentic risk

Overview

This is a prompt-only code review skill whose repository reading is expected for its purpose and shows no hidden installation, persistence, network, or destructive behavior.

Install this if you are comfortable letting the agent inspect the files and git history needed for code review. For tighter privacy control, invoke it on a specific file or provide an explicit patch rather than running broad diff ranges in repositories containing unrelated sensitive material.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The workflow explicitly instructs the agent to read full files for every file in a diff and inspect project metadata such as CLAUDE.md, .editorconfig, and lint configs, but it gives no user-facing warning that broad repository contents may be accessed. In an agent setting, this can cause over-collection of local code and metadata beyond what a user expects, increasing the risk of unintended exposure of sensitive material present elsewhere in the repository.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The usage section encourages running git diff commands over local history, including ranges like HEAD~3 and main...HEAD, without disclosing that this inspects historical repository content. While this is normal for code review, the missing warning can mislead users about how much local context the skill will traverse and may expose prior sensitive changes or deleted material to the agent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal