SpecClaw

Security checks across malware telemetry and agentic risk

Overview

SpecClaw is a real development automation skill, but it gives broad code-changing and command-running authority with weak scoping safeguards.

Install only in repositories where you trust the .specclaw files, tasks.md, and config.yaml. Treat build and verify as code-execution actions, not read-only checks. Review task file paths before running, keep github.sync off unless you intend to publish the workflow content to GitHub, use least-privilege GitHub credentials, and avoid autonomous or scheduled use until path containment, safer command execution, and explicit approval gates are added.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (12)

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The script trusts the task's `files` field from `tasks.md` and concatenates each entry with `PROJECT_ROOT` before reading it. Because there is no canonicalization or containment check, a task can include paths like `../.env`, symlinks, or other unexpected project-root-relative targets and have their contents injected into the coding-agent prompt, exposing sensitive data and broadening the agent's scope beyond the intended task.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The finalize command reads test/lint/build commands from config.yaml and executes them with eval, which allows arbitrary shell execution in the current repository context. Because the skill is an orchestrator that can also mutate git state, a malicious or tampered config can run unintended commands with the user's privileges, making this materially dangerous in context.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The collect subcommand reads test, lint, and build commands from config.yaml and passes them to run_capped, which executes them with eval. Because config.yaml is treated as data but becomes shell code, a malicious or compromised repository can run arbitrary commands on the host during verification, not just expected build steps.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The skill uses broad natural-language triggers for actions that create files, execute shell scripts, spawn agents, modify task state, and potentially sync to GitHub. This raises the risk of unintended invocation from casual conversation, prompt injection in surrounding text, or ambiguous user phrasing causing repository-modifying operations without clear intent confirmation.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The later commands also rely on vague phrases like 'what's the progress' or 'autonomous mode,' but these map to actions that can mutate status, archive changes, or launch autonomous workflows. In a conversational agent setting, weak intent boundaries materially increase the chance of accidental or adversarial activation of sensitive operations.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill quickly transitions into shell-executing and repository-modifying behavior without a prominent upfront warning about side effects. Users may invoke it conversationally without understanding that it will run scripts, create branches/worktrees, edit files, and commit changes, which increases the chance of unsafe or unintended execution.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The GitHub sync flow can send proposal, task, status, and failure information to an external service, yet the skill does not prominently warn about data egress or privacy implications. In private repositories or sensitive codebases, accidental syncing could expose internal project details, filenames, architecture, or error contents beyond the local environment.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: This script automatically reads file contents and emits them to stdout as part of an agent prompt, with no sensitivity filtering, redaction, or explicit disclosure to the caller. In a framework that spawns coding agents, this creates a real prompt-context data exposure risk: secrets, credentials, tokens, configs, or proprietary code in listed files may be unintentionally forwarded to another component or external model.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script executes configured shell commands through eval without any upfront warning or consent, so untrusted configuration can trigger arbitrary subprocess execution. In this skill, that is especially dangerous because the same script can also commit and merge code, amplifying the consequences of command execution.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: This script intentionally assembles a full verification context by reading the entire spec and changed file contents, then emits that payload to stdout. In practice, stdout is often captured by logs, wrappers, CI systems, or other tools, so sensitive source code, secrets embedded in files, or proprietary specs may be disclosed without an explicit safety gate or redaction step.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The helper at this location executes a caller-provided command string via eval, and later callers source that string from config.yaml. There is no warning, consent, or trust boundary enforcement, so verification of an untrusted change can trigger arbitrary shell execution with the user's privileges.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The script parses file paths from tasks.md and emits the contents of each referenced file into JSON, allowing repository-controlled metadata to cause disclosure of arbitrary readable files, including absolute paths. In a verification workflow this can expose secrets from the workspace or host if the output is logged, sent to another agent, or uploaded elsewhere.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal