ClawHub

Safe Change

Security checks across malware telemetry and agentic risk

Overview

This skill is a local TypeScript impact scanner with a disclosed post-change verification step, but users should treat the verification step as running their own repository code.

Install only if you are comfortable with the agent reading your local TypeScript project structure and running your repository's own lint, test, and build scripts. Review package.json scripts first, use the narrowest project root, and do not grant credentials, purchase authority, or crypto-related access because this skill does not need them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The script’s behavior materially differs from the skill’s stated purpose of mapping blast radius: instead of only analyzing dependencies and affected surfaces, it actively executes project commands such as type-check, lint, test, and build. In an agent-skill context, running repository-defined commands can execute arbitrary code from package scripts, test hooks, build tooling, or compiler plugins, expanding risk beyond passive analysis.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The script includes shell-command execution capability that is not justified by the manifest’s blast-radius mapping description. In practice, `npm run lint`, `npm test`, and `npm run build` delegate to repository-controlled scripts, which can run arbitrary shell commands and produce side effects or exfiltrate data when invoked by an automated agent.

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The comment claims the script is read-only, but the commands it runs are not inherently side-effect free. Tests, lint hooks, build steps, or TypeScript plugins may write files, access the network, modify caches, or trigger arbitrary code paths, so the claim can mislead users and downstream agents into treating an active script as safe for low-risk execution.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal