ClawHub

Copilot CLI

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only Copilot CLI reference skill, but it repeatedly teaches broad unattended agent permissions and persistent trust changes without enough safety framing.

Install only if you want a Copilot CLI reference and will review examples before use. Prefer scoped --allow-tool and --add-dir patterns, avoid --yolo or --allow-all with --no-ask-user outside isolated disposable workspaces, do not email raw tool output, verify remote installers before running them, use least-privilege tokens, and remove trusted_folders entries you no longer need.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (12)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill includes copy-pastable non-interactive commands using `--yolo` and `--no-ask-user`, which disable confirmation barriers and can let the agent modify files automatically. In a reference skill for CLI automation, presenting these commands without an explicit warning about autonomous writes and potentially destructive changes increases the chance of unsafe use, especially in CI/CD or unattended contexts.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The guidance explicitly recommends `--allow-all` or `--yolo` in `--no-ask-user` mode and provides a 'working formula' for unattended execution, but does not warn that this can permit destructive or irreversible actions. Because this section is framed as operational advice for automation, users are likely to adopt it directly, making accidental mass file modification, unsafe shell execution, or CI-side damage more plausible.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The examples explicitly show unattended execution with broad permissions, including `write` and `--allow-all-tools`, without any nearby warning that the agent may modify repository files at scale. In a reference skill for automation, users are likely to copy-paste these commands directly, so the documentation materially increases the risk of unintended code changes or destructive actions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The CI example passes a PAT into an automated CLI workflow but does not include strong guidance on secret minimization, secret scoping, rotation, log exposure, or preferring ephemeral credentials where possible. In CI/CD documentation, omission of credential-handling warnings can lead users to overprivilege tokens or accidentally expose them through workflow misuse.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The delegation section states that unstaged changes may be committed and a draft PR opened remotely, but it lacks a prominent warning to verify local working tree contents first. Because this feature moves local state into a remote branch/PR, users may inadvertently publish sensitive, incomplete, or unintended changes.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation explicitly instructs users to pipe a remotely fetched script directly into bash, which executes unreviewed network content immediately. In a CLI/automation context this is risky because compromise of the hosting URL, redirector, or delivery path could lead to arbitrary code execution on the user's machine.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The file states that Linux may fall back to storing credentials in plaintext in config.json without warning or mitigation guidance. Because this skill concerns a terminal AI agent that uses GitHub tokens, documenting plaintext token storage without caution increases the chance of credential exposure through local compromise, backups, or accidental file disclosure.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The post-tool logging example records tool names/results to a local CSV and emails failure details taken from `toolResult.textResultForLlm`. That content can contain sensitive command output, file contents, prompts, tokens, or other secrets, so documenting this pattern without stronger warnings or redaction guidance encourages accidental data exfiltration through logs and email.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This documentation provides an automation pattern that explicitly disables interactive safeguards with `--yolo --no-ask-user` and programmatically adds a directory to Copilot's `trusted_folders` list by editing the user config. That combination weakens consent and trust boundaries, and because this is a reference skill for CLI automation, readers may copy it directly into real workflows where it can cause unreviewed actions in a newly trusted workspace.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation includes a destructive keychain deletion command (`security delete-generic-password -s copilot-cli`) without any warning that it removes stored credentials and may disrupt authentication until the user re-authenticates. In a troubleshooting reference used by automation-oriented users, readers may copy-paste it directly, causing avoidable credential loss or confusion.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The example `lsof -ti:PORT | xargs kill -9` force-kills whatever is bound to the specified port, with no caution that it may terminate unrelated or production processes if the wrong port is used. The use of `kill -9` also bypasses graceful shutdown and increases risk of data loss or corruption.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The config-edit example silently appends a directory to `trusted_folders`, which weakens a security boundary by pre-approving a path without discussing trust implications. In this skill's automation/troubleshooting context, users are especially likely to paste such snippets into unattended workflows, making accidental over-trust more dangerous.

VirusTotal

48/48 vendors flagged this skill as clean.

View on VirusTotal