Gh

Security checks across malware telemetry and agentic risk

Overview

This skill is a scoped ClawHub maintainer helper for GitHub PR and issue review, with no hidden code or unrelated behavior found.

Install this only if you are comfortable letting an authenticated GitHub CLI inspect ClawHub PRs/issues and, when directed, post comments, change labels or close items, and publish UI proof artifacts. Use dry-run or explicit confirmation for public GitHub writes if you are not acting as a maintainer.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger description is broad enough to activate on many generic GitHub-related CLI requests, which can cause this skill to be selected in situations where a narrower or more appropriate skill should handle the task. Over-broad activation increases the chance of unintended repository operations being proposed or executed under an authenticated GitHub context, especially because this skill includes write-capable commands such as repo creation, PR merge, and issue actions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal