Skill Publisher

Security checks across malware telemetry and agentic risk

Overview

This is a real publishing automation skill, but it asks for powerful account tokens and includes bulk-publishing guidance that can bypass platform limits or abuse controls.

Install only if you intentionally want automated public publishing. Use dedicated least-privilege, short-lived tokens through a secure secret mechanism rather than chat prompts, review each skill before publication, require a dry run and explicit confirmation before repo creation, Git push, ClawHub publish, or Notion writes, and ignore or remove the multi-account, VPN, proxy, and rate-limit bypass guidance.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (25)

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The guide explicitly recommends splitting publishing across multiple GitHub/ClawHub accounts and spacing activity to avoid platform detection and rate limits. That moves beyond normal operational advice into evasion-oriented guidance, which is risky because it can facilitate abusive automation and policy circumvention.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The FAQ suggests automatic retry scheduling as a way to work around ClawHub hourly limits, and in context this is framed as continuing bulk publication despite platform throttling. While retries can be legitimate, here the surrounding text makes it part of a rate-limit circumvention workflow rather than a standard compliant backoff pattern.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The best-practices section advises limiting account switching and avoiding same-IP multi-account behavior to reduce detection during bulk publishing. This is classic anti-detection operational guidance and is not necessary for a legitimate publishing helper, making the skill more dangerous in context.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The documentation explicitly recommends using multiple accounts, spacing operations to avoid detection, and different IPs via VPN/proxy to work around GitHub anti-spam controls. Guidance that helps evade platform abuse defenses is dangerous because it facilitates large-scale automated publishing while reducing the chance of enforcement.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: This script introduces an automated web-scraping capability against SkillBoss that is broader than the stated publishing workflow of preparing and publishing skills to GitHub and ClawHub. In an agent skill, unexplained data collection from a third-party site expands the trust boundary, may violate site terms, and can be repurposed for unauthorized enumeration or harvesting without explicit user consent.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The guide tells users to paste live GitHub, ClawHub, and Notion tokens directly into the prompt. That exposes secrets to the agent/session context and increases the risk of inadvertent logging, retention, prompt leakage, or misuse by the skill or surrounding platform.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The guide advertises a zero-manual-step flow that will create repositories, modify files, publish externally, and update Notion without an upfront consent and side-effects warning. Users may trigger irreversible external changes without fully understanding what data and services will be modified.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The guide instructs users to paste live GitHub, ClawHub, and optionally Notion tokens directly into the prompt, normalizing disclosure of high-privilege credentials to the skill runtime. In an agent setting, this creates a real risk of credential leakage through logs, prompt history, telemetry, unintended reuse, or compromise of the agent environment.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The quick-start advertises automatic downloading, repository creation, code push, and external publication without prominently warning that the skill will make network requests and perform irreversible remote changes on user-controlled accounts. Users may grant access or run the workflow without understanding the scope of external side effects, increasing the chance of unsafe or unintended actions.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The README advertises automated scraping, repository creation, Git pushes, and third-party publishing as a 'zero manual steps' workflow without clearly warning users that these actions can create external resources, modify local files, and publish content publicly. In a skill whose purpose is deployment automation, the absence of explicit safety and confirmation guidance increases the risk of unintended publication, account misuse, or accidental propagation of sensitive or unreviewed content.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The Quick Start instructs users to paste GitHub and ClawHub tokens directly into an example prompt without any warning about secure credential handling, storage, or least-privilege scoping. This normalizes unsafe secret-sharing practices and can lead to credential exposure in chat logs, screenshots, shell history, or downstream tooling, especially since the skill performs privileged publishing actions.

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The invocation example 'Get top 5 skills from SkillBoss.co' is too broad for a workflow that downloads, republishes, and creates external resources. Broad triggers make it easier for the agent to perform impactful side effects without clearly bounded user intent or source selection.

Vague Triggers

Medium

Confidence: 81% confidence
Finding: The auto-discovery publishing flow allows the agent to scrape a site, select skills, and publish them with insufficiently constrained user direction. In a skill that can create repos and publish externally, ambiguous discovery commands increase the risk of unintended bulk actions and republishing unauthorized content.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The skill promotes 'zero manual steps' and fully automated repo creation and publishing but does not foreground the irreversible external side effects. This is risky because it normalizes unattended operations involving third-party services, credential use, and public publication without strong user acknowledgement.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The credential collection examples ask users to paste GitHub, ClawHub, and optionally Notion tokens directly into chat without a strong warning against insecure sharing. Encouraging token disclosure in conversational input increases the risk of credential leakage, replay, and account compromise across multiple external platforms.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The instruction to use different IPs via VPN/proxy goes beyond normal operational guidance and directly supports evasion of abuse monitoring. In the context of automated publishing, this increases the likelihood of mass account activity that bypasses platform safeguards.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script accepts a GitHub token as a positional command-line argument, which can expose the credential through shell history, process listings, CI logs, and audit tooling. In a publishing automation skill that is likely to run on shared developer machines or automation environments, this creates a realistic risk of credential leakage even if the script's purpose is legitimate.

Ssd 3

High

Confidence: 99% confidence
Finding: The guide normalizes supplying live access tokens inside natural-language prompts and examples. This concentrates sensitive credentials in model-visible context, where they may be logged, cached, mishandled by downstream tools, or exposed through prompt injection and operational mistakes.

Ssd 3

High

Confidence: 98% confidence
Finding: Repeated scenarios instruct users to include account tokens in prompts for automated publication. Repetition makes this an intended operating model rather than an incidental example, materially increasing the chance of credential disclosure and misuse.

Ssd 4

Medium

Confidence: 95% confidence
Finding: The multi-account publishing walkthrough provides a gradual operational narrative for avoiding platform detection and staying under rate limits. In context, this is not neutral documentation; it lowers the barrier for coordinated evasive bulk activity.

Ssd 4

Medium

Confidence: 94% confidence
Finding: Recommending users switch to another account when rate-limited turns a normal quota event into an evasion step. This guidance can be used to bypass platform safeguards and is especially problematic in a skill designed for automated external publishing.

Ssd 3

High

Confidence: 99% confidence
Finding: The example dialogue asks for multiple GitHub tokens, multiple ClawHub tokens, and a Notion token in one request. Aggregating many secrets in a single model-visible exchange significantly increases blast radius if the conversation is leaked, logged, or mishandled.

Ssd 3

Medium

Confidence: 98% confidence
Finding: The examples explicitly solicit live access tokens in plain-language prompts, which is a sensitive-data handling anti-pattern. In the context of a publishing skill with repository and platform access, exposed tokens could enable unauthorized repository creation, code pushes, publication actions, and access to linked operational data.

Ssd 3

Medium

Confidence: 79% confidence
Finding: The Notion workflow encourages persistent tracking of publication metadata across runs, and in this context that can normalize retention of account-linked operational data in external systems. While the listed schema does not explicitly include tokens, the workflow increases the risk that sensitive identifiers, account relationships, or accidental secrets get copied into durable records without retention or access-control guidance.

Ssd 4

Medium

Confidence: 95% confidence
Finding: This section narratively escalates from legitimate batch publishing into specific tactics for avoiding spam detection through account and IP rotation. That progression is concerning because it operationalizes evasive behavior rather than merely acknowledging rate limits.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal