ClawHub

Commit Reviewer(提交修复检查)

Security checks across malware telemetry and agentic risk

Overview

This is a read-only Git commit review helper, but it may expose private commit diffs and repository metadata to the agent during use.

Install only if you are comfortable letting the agent read the selected commit diff and related Git metadata. Run it from the target repository or set COMMIT_REVIEWER_WORK_ROOT to a narrow workspace, and avoid Git remote URLs that contain tokens or other secrets.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill can automatically scan the current directory or a work root for multiple Git repositories to locate a commit, but the description does not clearly warn users that such broad local enumeration may occur. In agent environments, this can violate user expectations and increase the chance of collecting repository names, paths, remotes, and commit data from unrelated projects.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script prints `remote get-url origin` and commit metadata including `author: %an <%ae>` directly to stdout. In an agent skill, that output may be forwarded into chats, logs, telemetry, or downstream LLM context, causing unintended disclosure of internal repository locations and personal email addresses without user awareness or consent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal