ClawHub

Jenkins Build

Security checks across malware telemetry and agentic risk

Overview

This skill is meant to trigger local Jenkins builds, but it exposes admin-style credentials and can start CI jobs through an authenticated browser session without a clear confirmation step.

Review before installing. Only use this for the intended local Jenkins instance, remove and rotate the documented admin/admin credential if it is valid, prefer a least-privilege Jenkins token or account, and require explicit confirmation of the target job before any build is triggered.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
Documenting default Jenkins credentials (`admin/admin`) is dangerous because it normalizes insecure authentication and may directly enable unauthorized access if such credentials are actually configured. In the context of a build system, compromise could allow attackers to trigger builds, access logs or artifacts, or pivot into CI/CD infrastructure.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases are broad enough that ordinary conversation about builds or Jenkins could activate the skill unintentionally. Because the skill performs an operational action against Jenkins, accidental activation could queue unwanted builds, consume CI resources, or deploy incorrect packaging outputs.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill describes directly clicking Jenkins 'Build Now' without a clear warning or confirmation before executing the action. In CI/CD contexts, triggering a build is a state-changing operation that can consume resources, produce artifacts, and potentially affect release workflows, so the absence of an explicit user confirmation increases operational and security risk.

Missing User Warnings

High
Confidence
99% confidence
Finding
The file embeds Jenkins credentials in plaintext (`admin`/`admin`) alongside the service URL, which directly exposes administrative access details to anyone who can read the skill. Even if these are intended for local development, hardcoded credentials are routinely reused or deployed unchanged, enabling unauthorized job execution, code access, artifact manipulation, and broader CI/CD compromise.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal