ClawHub

Nm Sanctum Workflow Improvement

Security checks across malware telemetry and agentic risk

Overview

This skill appears useful for workflow improvement, but it can automatically create or direct GitHub issues in external repositories with workflow-derived details.

Review before installing. Use it only if you are comfortable with an agent preparing or creating GitHub issues from workflow findings, and require an explicit preview and approval before anything is posted outside the current repository.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill directs the agent to send workflow/tooling learnings to an external GitHub repository regardless of the current repository context. That creates a cross-boundary data exfiltration path: internal process details, repo names, architectural issues, or operational lessons from a private codebase could be disclosed outside the intended trust boundary without explicit user approval.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
This module expands the skill from retrospective workflow improvement into autonomous external side effects by directing automatic GitHub issue creation. That creates a scope mismatch: a user invoking an evaluation/improvement skill may not reasonably expect repository mutations, which can lead to unauthorized issue creation and disclosure of workflow-derived data.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The module uses the GitHub CLI to query and create issues automatically, introducing an external capability not justified by the stated purpose of workflow evaluation. Because titles, descriptions, file references, and workflow context are sent to GitHub, this can leak internal details and perform unintended state-changing actions in the repository.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Making issue creation automatic by default across workflows increases the chance of surprise external actions and broadens the skill beyond its declared analysis/improvement role. In practice, any workflow that classifies items as deferred can trigger repository writes without a dedicated consent step, amplifying misuse and accidental disclosure risks.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger list includes broad, everyday terms such as 'workflow', 'agents', 'skills', and phrases like 'execution felt slow' or 'confusing', which can cause the skill to activate in many unrelated contexts. Over-broad activation increases the chance the agent will surface and follow high-impact instructions, including external posting behavior, when the user did not intend to invoke this workflow.

Natural-Language Policy Violations

Medium
Confidence
97% confidence
Finding
The skill explicitly mandates posting tooling learnings to a specific external repository 'regardless of which repo you are currently working in.' This overrides normal repository and user-context boundaries, making accidental disclosure of sensitive operational details more likely and reducing the chance that an agent asks for consent before sharing externally.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The module states that deferred items should be automatically logged to GitHub issues, but it does not provide an upfront warning that workflow data may be transmitted to GitHub. This undermines informed consent and can expose sensitive operational context such as file paths, PR references, or internal improvement notes to an external system.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal