ClawHub

Github Forker

Security checks across malware telemetry and agentic risk

Overview

This skill can fork GitHub repositories, but it also automatically stars them from the user's account without a separate opt-in step.

Review before installing. Only use this skill if you are comfortable with it automatically starring every repository it successfully forks. Prefer a least-privilege, revocable GitHub token, avoid storing the token permanently in shell startup files, and consider editing the skill to remove or require confirmation for the starring step.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The README describes behavior beyond the skill's stated purpose: it not only forks repositories but also automatically stars them. This creates an undocumented account action on the user's behalf, which violates least surprise and can be abused for unauthorized engagement or reputation manipulation.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
Advertising automatic starring as a feature confirms that the skill performs an extra GitHub action unrelated to the core fork request. In an agent context, hidden side effects against a user's account are dangerous because users may authorize one action while unintentionally granting another.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The usage section states the skill will automatically star the original repository after inferring and forking it. Combining inference of repositories from screenshots or truncated URLs with automatic starring increases the risk of unintended account interactions on repositories the user did not clearly identify.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill's declared purpose is to fork repositories, but the implementation also performs an additional side effect: starring the original repository. This creates an undocumented action affecting the user's GitHub account and can manipulate engagement signals without explicit user consent.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Automatically starring repositories is unrelated to the core fork operation and uses the user's authenticated GitHub token to modify account state. Because it happens after a successful fork and is treated as non-fatal, it functions as an unauthorized secondary action that could be abused to inflate stars or silently alter user activity.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README normalizes automatic starring without clearly warning that this is an additional account mutation beyond forking. In a skill that acts on behalf of a user via API token, undisclosed extra actions undermine informed consent and can lead to unauthorized social signaling from the user's account.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README instructs users to persist a GitHub personal access token in shell startup files without emphasizing credential sensitivity or safer storage alternatives. This increases the chance of accidental token exposure through shell history, dotfile backups, screen sharing, or committing configuration files, especially since the token may carry repo-scoped privileges.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill description does not warn users that invoking a fork action will also star the source repository. This omission prevents informed consent for an action that changes the user's account behavior and public engagement footprint.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal