ClawHub

Nm Attune Workflow Setup

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward GitHub Actions setup guide, with no hidden code or automatic execution, though users should review any generated CI/CD workflows before adding them to a repository.

Install only if you want help creating GitHub Actions workflows. Before accepting generated files, review triggers such as push, pull_request, release, or deployment, and check any workflows that publish packages, deploy code, or use repository or environment secrets.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger list contains generic terms like "automation" and "testing" that can cause the skill to activate for broad, unrelated requests, increasing the chance it is invoked outside its intended GitHub Actions setup context. Because this skill creates or modifies CI/CD workflow files, over-broad activation can lead to unintended repository changes or deployment-related automation being suggested or applied when the user did not explicitly ask for that scope.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill explicitly guides creation of workflow and deployment pipeline files but does not warn that it may modify repository configuration or add automation that can publish artifacts or deploy code. In a CI/CD context, that omission is meaningful because users may not realize the skill can introduce workflows that run on push, pull request, or release events, potentially affecting build, secret usage, or release behavior.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal