ClawHub

Skill Releaser

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent release automation tool, but it needs Review because its high-impact publishing workflow has a flawed security gate and relies on unpinned local tooling before making content public.

Install only after reviewing the release target and credentials. Use least-privilege GitHub and ClawhHub accounts, verify the exact staging directory and repo before approval, do not rely on the OPSEC gate until the fail-open bug and `/tmp` helper provenance are fixed, and treat force-push/public visibility steps as irreversible publication actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The skill directs writes outside the target skill directory, including review artifacts in a broader repository path. That expands the blast radius of the skill and can unintentionally modify unrelated project state or leak sensitive information into shared locations.

Natural-Language Policy Violations

Low
Confidence
95% confidence
Finding
The changelog documents a hard gate requiring a specific honorific-based approval phrase ("D-## yes" from "My Lord") before publish. This creates a fragile, socially manipulative approval mechanism that can pressure users into specific phrasing, increase misinterpretation risk, and cause unsafe releases if the agent keys off ceremonial language rather than clear, user-consented authorization semantics. In a release/publish skill, approval handling is security-relevant because it governs an external action.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README explicitly states that release involves erasing history with an orphan branch and force-push, then making the repository public, but it does not present this as a prominent irreversible-risk warning with safeguards. In a release automation skill, that omission is dangerous because users may trigger destructive git operations or unintentionally expose sensitive content without fully understanding the consequences.

Vague Triggers

Medium
Confidence
89% confidence
Finding
Broad triggers like 'release skill' and 'release readiness' increase the chance of accidental invocation during unrelated conversations. Because this skill performs repo creation, file generation, and publication steps, unintended activation could cause real state changes before the user realizes it.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly instructs automatic repo creation and local file generation before review, without requiring clear pre-execution user consent for those modifications. In an agent context, silent modification of repositories and filesystem state can lead to unauthorized changes, data exposure, or irreversible publication preparation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script executes a Python scanner from a fixed writable-looking path under /tmp, which is a dangerous trust boundary violation. If an attacker can place or replace validate-job-output.py at that location, the release pipeline will run attacker-controlled code during an OPSEC scan, potentially leading to arbitrary code execution, tampered scan results, or credential/environment exfiltration. In this release skill context, that is more dangerous because the script is part of a trusted publication pipeline and may run with access to repositories, tokens, and release artifacts.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrase "release readiness" is broad enough to match routine review or status-check requests and could invoke a high-privilege release workflow unexpectedly. In this skill's context, accidental activation is more dangerous because the declared permissions include git operations, repository changes, publishing actions, and filesystem writes.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger phrase "publish skill" is overly generic and likely to collide with normal user language, increasing the chance that the agent launches a publication-capable workflow without sufficiently explicit authorization. Because this skill can use gh, git force-push, visibility changes, and registry publishing, an accidental match could lead to unintended external release activity.

Missing User Warnings

High
Confidence
97% confidence
Finding
The manifest advertises force-push and repository visibility changes but does not state any requirement for user confirmation, dry-run behavior, or approval before destructive or externally visible actions. In a release skill, those capabilities materially raise the risk of accidental publication, history rewrite, or unintended exposure of private code or metadata.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger set includes highly generic phrases like 'publish this skill', 'prepare for clawhub', and 'release this to clawhub' without requiring stronger scoping to a specific repository, skill identifier, or explicit confirmation step. In an agentic system, broad triggers can cause this release-oriented skill to activate on ambiguous user requests and route users into a workflow that performs sensitive publication actions, increasing the risk of unintended release or misuse.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal