ClawHub

GitHub → ClawHub 一键转化发布

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does what it claims, but it also tells an agent to publish with a user token and patch installed ClawHub CLI files without enough user control.

Review carefully before installing. Use it only with explicit GitHub repositories you want converted, require a draft review before any file write or publish command, avoid pasting tokens into persistent chats where possible, and do not allow it to patch installed ClawHub CLI files or auto-accept license terms.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill explicitly instructs users to patch an installed ClawHub CLI binary to force `acceptLicenseTerms: true`, which bypasses an intended consent/licensing control in third-party software. That behavior is unrelated to merely converting a GitHub project into a skill and normalizes tampering with local tooling to defeat a platform safeguard, creating legal, trust, and supply-chain risk.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger description is intentionally broad and includes open-ended language such as similar requests, increasing the chance the skill activates in contexts the user did not clearly intend. Because this skill performs external fetches, local file creation, and publication actions, overbroad activation raises the risk of unintended side effects from casual or ambiguous prompts.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The instructions state that many trigger words should be packed into the description because it is the only activation entrypoint, with no safeguards for specificity. This encourages aggressive matching behavior that can cause the skill to run when the user is only discussing related topics, which is especially risky given the skill's write-and-publish capabilities.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill directs creation of files under a local workspace and publication to an external service using a user token, but it does not require an explicit user-facing warning or confirmation immediately before those side effects occur. In practice, this could cause unintended local modifications or accidental publication of generated content to a third-party platform.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Quick mode authorizes end-to-end execution from a single user message, including network fetches, local file creation, and public release, without a final confirmation checkpoint. That makes accidental publication and misuse of supplied credentials significantly more likely, particularly when prompts are terse or copied from elsewhere.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal