ClawHub

Codebase Onboarder

Security checks across malware telemetry and agentic risk

Overview

This is a readable, instruction-only skill for generating codebase onboarding docs, with a practical caution about sensitive configuration details in generated output.

Install this only for repositories you are comfortable having an agent inspect for documentation. Review the generated onboarding guide before sharing it, especially the configuration/environment section, and redact any real secrets, tokens, internal hostnames, or sensitive service details.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The invocation text is overly broad and matches common natural-language requests like 'help me understand this codebase' or 'document this project,' which can cause the skill to activate in situations the user did not specifically intend. In an automated agent setting, this increases the chance of unintended repository inspection and downstream disclosure of internal structure, code organization, or sensitive files during routine conversations.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly instructs reading .env example/template files and grepping environment-variable usage across the repository without any warning, filtering, or secret-handling constraints. Even sample env files and config references frequently contain real credentials, internal hostnames, tokens, or sensitive integration details, so this can lead to inadvertent exposure in the generated onboarding output.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal