ClawHub

Copilot CLI AI 代码分析

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward guide for using GitHub Copilot CLI, but users should be cautious with code sharing, token storage, and the optional auto-execution mode.

Install only if you are comfortable using GitHub Copilot CLI on the target repositories. Confirm your organization allows prompts and code context to be processed by GitHub services, protect the token file with appropriate file permissions, verify the Homebrew package source, and avoid `--yolo` except in version-controlled or disposable workspaces where changes can be reviewed and reverted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly encourages sending project code to GitHub Copilot for analysis but does not warn users that source code, architecture details, or other sensitive content may be transmitted to a third-party service. In environments with proprietary code, secrets, regulated data, or customer information, this omission can lead to unintended data exposure and policy non-compliance.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation includes `copilot --yolo` for automatic execution but does not clearly warn that this mode may run generated actions with reduced user review, potentially modifying files or executing unsafe operations. Users may treat the example as endorsed safe behavior and invoke autonomous actions in sensitive repositories or systems without adequate oversight.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal