ClawHub

Copilot Cli Skill

Security checks across malware telemetry and agentic risk

Overview

The skill is a transparent Copilot CLI wrapper, but it repeatedly encourages unrestricted agent execution that can run commands, edit files, and affect GitHub repositories.

Install only if you intentionally want OpenClaw to delegate work to GitHub Copilot CLI. Prefer scoped `--allow-tool` permissions over `--allow-all-tools`, run it only in the intended repository and branch, review changes before pushing or opening PRs, avoid broad GitHub tokens, and stop background sessions when the task is done.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (8)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The documented recipes expand a local coding assistant skill into remote GitHub issue handling and pull request creation, which materially exceeds the stated scope of operating in a target project directory. This broadening enables unintended external side effects such as creating branches, interacting with remote repositories, and publishing changes, increasing the chance of unauthorized repo operations or data disclosure.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
Recommending `--allow-all-tools` grants Copilot broad access to execute arbitrary available tools rather than the minimum needed for a coding task. In this skill context, that can let an LLM-driven workflow invoke destructive, exfiltrative, or repo-mutating commands well beyond implementation assistance, especially if prompt content is attacker-influenced.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly recommends commands such as `copilot -p "<task>" --allow-all-tools`, which can grant broad execution and file-modifying capability, but it does not clearly warn the user that these examples may let Copilot run tools and alter repository contents. In an agent skill, omission of that warning materially increases the chance of unsafe delegation because users may treat the examples as safe defaults rather than high-privilege operations.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The recommended prompts include actions like working on a GitHub issue in a new branch and creating a PR, but the skill does not clearly disclose that these workflows may create branches, commit changes, or interact with remote repositories. That omission is dangerous because it can lead users or upstream agents to trigger external side effects beyond the local workspace without informed consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document explicitly recommends using `--allow-all-tools` for full autonomy without any adjacent warning, constraint, or approval guidance. In the context of an operator skill that runs Copilot CLI against a target repository, this can normalize granting unrestricted shell/tool access to an LLM-driven agent, increasing the chance of destructive commands, secret exfiltration, or unintended repository and GitHub-side actions.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The examples normalize broad tool execution, background operation, and interactive process continuation without warning that these actions can modify repositories, create branches, open PRs, or run potentially destructive shell commands. Because this is operational guidance for an agent skill, users may copy these patterns directly, making unsafe automation more likely in real repositories.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The guidance to set `COPILOT_GITHUB_TOKEN` omits that the value is a sensitive credential whose leakage could permit repository or account actions depending on its scope. In an agent-driven environment, undocumented token sensitivity increases the risk of insecure storage, logging, shell history exposure, or accidental sharing.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script runs `copilot` with `--allow-all-tools`, which grants the agent broad ability to execute impactful operations in the target repository context without any confirmation, scoping, or user-facing warning. Because both the project directory and free-form task are user-supplied, this can lead to unintended code changes, command execution, file modification, or other destructive actions if the task is unsafe, ambiguous, or attacker-influenced.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal