ClawHub
Back to skill

Security audit

BlogStudio

Security checks across malware telemetry and agentic risk

Overview

This looks like a real GitHub Pages CMS, but it exposes powerful GitHub credentials to browser code and can directly change the live repository.

Review carefully before installing. Only use this with a narrowly scoped GitHub token for the intended repository, expect it to publish directly to the main branch, and avoid running it with broad personal GitHub credentials until token handling is moved server-side and destructive actions are clearly confirmed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (27)

Lp1

High
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The code accesses environment-derived paths via process.env.HOME/USERPROFILE to locate a host secret, but the declared permissions do not disclose this capability. Undeclared access to environment-based host data expands the trust boundary and can hide secret discovery behavior from reviewers and users.

Lp1

High
Category
MCP Least Privilege
Confidence
98% confidence
Finding
The skill invokes the local `gh` CLI via `subprocess.run`, which is effectively shell/process-execution capability not declared in the manifest permissions. This expands trust boundaries from simple file/http access to local credential access and process execution, enabling retrieval of sensitive GitHub credentials from the host environment.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The declared purpose presents a narrow blog CMS, but the described analyzer evidence indicates materially broader and riskier behavior: deleting repository files, opening arbitrary external URLs, exposing GitHub tokens to browser-accessible code, and operating on non-blog content. This mismatch is dangerous because users may grant trust and powerful permissions under false assumptions, while token exposure and arbitrary URL opening can enable credential theft, unauthorized repository changes, or broader compromise.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill reads a GitHub token from a fixed secrets file in the host filesystem, which is broader than the stated CMS scope and bypasses explicit user consent for credential use. This creates a secret-harvesting pattern and allows repository actions under the user's identity if the file exists.

Context-Inappropriate Capability

Low
Confidence
77% confidence
Finding
A generic openExternal IPC lets the renderer ask the main process to launch any URL, not just expected blog-related destinations. If the renderer is compromised or tricked, this can open phishing pages, trigger custom URI handlers, or pivot user trust outside the app.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill fetches a GitHub authentication token from an undeclared local endpoint and then uses it for repository API access. This creates a hidden trust boundary: users are not told that a local backend must expose credentials, and any compromise or spoofing of that backend could hand the page a sensitive token that enables repository reads and writes.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The code comments state a Python app should inject the token, but the displayed fallback instructs the user to run a plain static HTTP server, which cannot provide the required /token endpoint. This mismatch encourages insecure ad hoc workarounds, such as modifying local servers or exposing tokens unsafely, increasing the chance of credential leakage or misconfiguration.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The code silently retrieves a GitHub authentication token from the local `gh` CLI, which is a sensitive credential source not disclosed by the skill permissions. For a CMS, accessing host credentials may be functionally convenient, but doing so implicitly violates least privilege and can expose broader GitHub access than the user expects.

Scope Creep

High
Confidence
99% confidence
Finding
Using subprocess execution to access credentials exceeds the declared permission model and creates an undisclosed capability to interact with local system tooling. In this context, that means the app can pull GitHub auth from the user's environment and use it for remote repository modifications without an explicit authorization boundary inside the skill.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The skill extracts the user's GitHub authentication token from the local gh CLI without an explicit consent step, then makes it available to the application. In this skill context, that is dangerous because the token can be used to read and modify repository contents on behalf of the user, expanding the trust boundary from local editing into account-level GitHub access.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill advertises editing, creating, previewing, and deploying content but does not clearly warn that it will modify local files and push changes to GitHub. In a skill with file.write and network/deployment capabilities, missing safety disclosures increase the chance of unintended destructive changes, accidental publication, or misuse of repository access.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The specification explicitly includes immediate push/publish capabilities to a live GitHub Pages repository but does not require confirmation dialogs, dry-run previews, environment separation, or warnings about modifying production content. In a CMS skill with file.write and http.request permissions, this omission creates a realistic path for accidental or unauthorized publication of live content, especially if the agent is induced to act on ambiguous instructions.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The scheduled publishing design allows future automated actions through cron without specifying re-validation, approval at execution time, or cancellation safeguards. That is dangerous because queued content may be published later after circumstances change, credentials are compromised, or malicious content is inserted before the scheduled job executes.

Missing User Warnings

High
Confidence
99% confidence
Finding
The app not only reads a GitHub token from disk but also sends it to the renderer over IPC during initialization. Renderer exposure greatly increases attack surface because any renderer XSS, preload misuse, or unintended UI script access can recover the token and use it for repository compromise or broader GitHub abuse.

Missing User Warnings

High
Confidence
94% confidence
Finding
The code performs GitHub write and delete operations directly from renderer-triggerable IPC handlers without confirmation, policy checks, or path restrictions. This means any renderer compromise or mistaken UI action can silently modify or delete repository content on the main branch.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The page silently retrieves and stores a GitHub token, then uses it for authenticated API calls without any user-facing warning, permission prompt, or disclosure of scope. In a skill with file and network permissions, concealed credential use is dangerous because users may unknowingly authorize repository modification and token exposure to frontend code.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The publish path performs direct authenticated PUT requests to GitHub to create or overwrite repository content, but the UI does not clearly warn that clicking publish will modify a remote repository. This can lead to unintended deployment, data loss, or unauthorized changes if the user misunderstands the action or if content has been tampered with before publishing.

Missing User Warnings

High
Confidence
100% confidence
Finding
The GitHub token is embedded directly into the generated HTML/JavaScript as `const TOKEN = "{token}"`, exposing it to any script running in the page and to anyone who can access the local page source. Combined with the unsanitized preview/editor logic, this enables token theft through XSS or browser inspection, potentially granting repository write access and possibly broader GitHub account access depending on token scope.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The server injects the GitHub token directly into client-side HTML/JavaScript, exposing a powerful credential to the browser runtime. Any XSS, malicious browser extension, local page inspection, or unintended script execution in that context could steal the token and use it for unauthorized GitHub API actions.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The publish flow performs authenticated remote writes to GitHub with a single click and without a clear confirmation that a repository commit will be created. In this context, the app is a CMS, so writing is expected, but the lack of explicit disclosure and confirmation increases the risk of accidental or socially engineered repository modification.

External Transmission

Medium
Category
Data Exfiltration
Content
<script>
    // ── State ──
    const API_BASE = 'https://api.github.com/repos/TheSolAI/thesolai.github.io';
    let token = '';
    let currentView = 'posts';
    let currentItem = null; // { path, name } when editing existing
Confidence
85% confidence
Finding
https://api.github.com/

Unvalidated Output Injection

High
Category
Output Handling
Content
def get_gh_token():
    """Get GitHub token via gh CLI."""
    try:
        result = subprocess.run(['gh', 'auth', 'token'], capture_output=True, text=True, check=True)
        return result.stdout.strip()
    except subprocess.CalledProcessError:
        return None
Confidence
95% confidence
Finding
subprocess.run(['gh', 'auth', 'token'], capture_output

Unvalidated Output Injection

High
Category
Output Handling
Content
def get_token():
    try:
        return subprocess.run(
            ['gh', 'auth', 'token'],
            capture_output=True, text=True, check=True
        ).stdout.strip()
Confidence
95% confidence
Finding
subprocess.run( ['gh', 'auth', 'token'], capture_output

Known Vulnerable Dependency: electron==28.0.0 — 10 advisory(ies): CVE-2026-34776 (Electron: Out-of-bounds read in second-instance IPC on macOS and Linux); CVE-2026-34767 (Electron: HTTP Response Header Injection in custom protocol handlers and webRequ); CVE-2026-34774 (Electron: Use-after-free in offscreen child window paint callback) +7 more

High
Category
Supply Chain
Confidence
97% confidence
Finding
electron==28.0.0

Known Vulnerable Dependency: octokit==3.0.0 — 1 advisory(ies): CVE-2023-50728 (Unauthenticated Denial of Service in the octokit/webhooks library)

High
Category
Supply Chain
Confidence
92% confidence
Finding
octokit==3.0.0

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal