ClawHub

GitHub Issues Auto-Fix

Security checks across malware telemetry and agentic risk

Overview

This GitHub automation skill is mostly purpose-aligned, but it needs Review because it handles GitHub tokens unsafely and can run write-capable agents with reduced approval.

Install only with a fine-grained GitHub token limited to the intended repository. Avoid --yes, --cron, --watch, and --notify-channel unless you are comfortable with automated pushes, PRs, comments, persisted state, and external notification of repo details. Rotate any token that may have appeared in logs or transcripts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill is instructed to read GH_TOKEN from local config files and export it for subsequent commands, expanding access from repository automation into credential discovery. This is dangerous because the skill can access secrets outside explicit user input and then use them to perform authenticated network and git operations, increasing blast radius if the skill is misused or compromised.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill can send final PR summaries to a Telegram channel, which is an external transmission capability unrelated to core GitHub issue processing. That creates a data exfiltration path for repository metadata, issue titles, PR URLs, and change summaries to leave the trusted GitHub environment.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill accesses and exports GH_TOKEN from local config without an explicit user-facing warning that credentials will be read from disk. This is dangerous because it normalizes secret harvesting behavior and may grant the skill privileges the user did not knowingly authorize for the current run.

Missing User Warnings

High
Confidence
94% confidence
Finding
The skill description does not clearly warn that it will autonomously create branches, commit code, push to GitHub, and open pull requests. In context, these are high-impact write actions against source code and remote repositories, so understating them can lead to unsafe or unintended execution.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The Telegram notification feature lacks a clear privacy warning even though it may send repository identifiers, issue titles, PR links, and fix summaries to an external channel. That creates an avoidable confidentiality risk, especially for private repositories or internal issue data.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal