ClawHub

Gitea Workflow

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Gitea workflow helper, but it under-declares credential use while scripts can read a local Gitea token and manage scheduled agent loops.

Review this before installing in a real workspace. Use a dedicated low-privilege Gitea token per agent, verify the token file path and localhost endpoint, and check every cron target/session before enabling loops. Do not use a broad personal access token unless you are comfortable with scheduled agents reading and acting on Gitea issues under that token.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The manifest says no credentials are required and sets the primary credential to null, but the description explicitly instructs agents to read a Gitea personal access token from local files at runtime. This mismatch can cause the platform and users to treat the skill as non-sensitive even though it consumes secrets, reducing review scrutiny and increasing the chance of unsafe token handling or overbroad deployment.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script reads a local Gitea token from disk and automatically uses it to make an authenticated API request, which exceeds the stated scope of a workflow-description skill and performs privileged actions in the user's environment. Even though the request targets localhost, it still discloses and uses credentials without explicit consent, creating unnecessary credential-handling risk and expanding the trust boundary of the skill.

Description-Behavior Mismatch

Medium
Confidence
81% confidence
Finding
The script inspects the local environment by reading /etc/openclaw/agent-name, deriving the current user/agent, and querying cron state. This is behavior beyond a purely descriptive workflow skill and increases environmental access, but the accessed data is limited operational metadata rather than sensitive secrets.

Vague Triggers

Low
Confidence
80% confidence
Finding
The credential description implies that each agent may use a locally stored Gitea token, but it provides no scope limits, role separation guidance, or least-privilege expectations. In a multi-role workflow skill, that ambiguity can lead operators to reuse powerful personal access tokens across agents, increasing blast radius if a token is exposed or misused.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
A credential file is read and the token is sent in an HTTP Authorization header with no prior warning, confirmation, or visibility to the user. This silent credential use is risky because users may not expect a workflow helper to consume stored secrets, and any compromise or misrouting of the local service could expose token-backed access.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal