ClawHub

OpenSpec Workflow

Security checks across malware telemetry and agentic risk

Overview

This skill appears to support a legitimate spec-driven coding workflow, but it gives sub-agents broad automatic authority and includes destructive repository actions that need review before installation.

Review this skill before installing. It is not clearly malicious, but only use it in a disposable or well-backed-up repository unless you are comfortable with agent runs that bypass permission prompts, modify files, create commits, and potentially delete merged branches. Prefer removing the skip-permissions flags and requiring explicit approval before commits, pushes, branch deletion, or long-running background review agents.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly instructs launching Claude Code with `--dangerously-skip-permissions` and then having it read tasks, modify the repository, mark tasks complete, and commit automatically. This removes an important safety boundary around filesystem and command execution while delegating broad, codebase-aware autonomy to another agent, increasing the chance of unintended code changes, secret access, destructive commands, or malicious prompt-influenced actions from repository content.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The workflow unconditionally attempts to delete the source branch of any merged pull request using `git push origin --delete "$BRANCH"`. Although common in some repositories, this is a destructive action that can remove branches other collaborators still rely on, and the documentation does not prominently warn users about that repository impact or recommend safeguards for protected/shared branches.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The review loop instructs launching Claude Code with `--dangerously-skip-permissions`, which disables an important safety boundary while also giving the reviewer broad repo access and the ability to run commands. In this skill context, artifact content and repository contents are explicitly explored and may be adversarial, so a prompted reviewer could read, modify, or execute sensitive operations without an approval checkpoint; running it in the background also reduces operator visibility into what it is doing.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal