ClawHub

GitCode Repo Daily

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed GitCode reporting skill that uses a GitCode token, calls GitCode APIs, and stores report data locally for its intended workflow.

Install only if you are comfortable giving the skill a GitCode token and retaining repository metrics, PR titles/bodies used for summaries, and generated summaries in local skill files. Use a least-privilege token, review saved default repositories on shared machines, and delete temp_dir or resources/report.db if you do not want local report history retained.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Intent-Code Divergence

Medium
Confidence
83% confidence
Finding
The examples state that the agent will write repository names into config.json as a side effect of a user request. Persistent configuration changes without explicit confirmation can create unauthorized state changes, leak sensitive repository identifiers into local files, and cause later runs to operate on repositories the user did not intend to persist.

Context-Inappropriate Capability

Medium
Confidence
75% confidence
Finding
The skill expands its credential access beyond the current process by querying Windows user- and machine-scoped environment variables through PowerShell. In skill/agent contexts, this increases secret-harvesting capability and may collect credentials the user did not intend to expose to this run, especially because the feature is not obviously necessary for report generation.

Intent-Code Divergence

High
Confidence
84% confidence
Finding
The docstring claims the tool only outputs one JSON to stdout, but the implementation writes config files, SQLite databases, temp files, summaries, and rendered Markdown. In an agent environment, this hidden statefulness is dangerous because users and orchestration layers may grant trust based on the declared behavior while the code performs materially broader filesystem actions.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README explicitly states that when a user specifies repositories, the skill writes them back into config.json, creating a persistent side effect from conversational input. This is dangerous because it can silently alter future runs, cause scope drift to unintended repositories, and persist attacker-influenced configuration without clear notice or confirmation.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill says it will automatically write generated summaries to a DB during rendering and persist user-specified repositories as defaults, but only partially informs the user and omits a clear warning about ongoing storage. This is risky because operational data, AI-generated summaries, and user choices may be retained across runs without explicit consent or visibility, creating privacy and data-retention concerns.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The authentication guidance advises placing GITCODE_TOKEN in shell startup files such as ~/.bashrc or ~/.zshrc without discussing safer secret-handling practices or exposure risks. Tokens stored this way can be inherited broadly by subprocesses, accidentally leaked through debugging, backups, shared dotfiles, or misconfigured environments, especially on multi-user systems.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The examples describe automatic writes to report.json, summaries.json, Markdown output, and a database without warning the user about these side effects. Silent file and persistence operations are dangerous in agent contexts because they can overwrite existing files, store sensitive repository metadata or summaries, and violate user expectations about whether a request is read-only.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal