ClawHub

Project Bootstrap

Security checks across malware telemetry and agentic risk

Overview

This project setup skill is not obviously malicious, but it asks agents to create persistent project automation and change GitHub/Discord infrastructure without enough guardrails.

Install only if you are prepared to review every generated agent config and external change before running it. Use least-privilege agent tool profiles, narrow GitHub tokens to the intended repository, protect Discord webhooks, avoid sending sensitive commit text to Discord, and require explicit approval before creating repos, changing branch rules, adding workflows, posting webhooks, spawning agents, or enabling recurring checks.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill describes actions that require environment access, file writes, and network operations, but it does not declare those permissions explicitly. This creates a transparency and control problem: an operator may invoke the skill without understanding that it can modify local files, access credentials, and reach external services such as GitHub or Discord.

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The skill’s declared description understates the operational scope by presenting high-level project bootstrap behavior while also implying taskboard operations, GitHub issue synchronization, and configuration generation. This mismatch is dangerous because users may authorize what they think is a planning/setup skill when it can also perform project-management mutations and external system updates.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill includes repository creation, branch protection changes, CI/CD setup, and webhook configuration without an explicit warning that it will modify external systems and project infrastructure. In context, this is especially sensitive because these actions can create repos, alter security controls, and connect outbound notification channels, potentially causing irreversible or organization-wide changes if run unintentionally.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The Discord notification template forwards repository metadata to an external webhook, including commit messages and author names. This creates a data-sharing risk because commit messages can contain sensitive details and author identity metadata is exposed to a third party, while the template does not warn users about this disclosure or suggest minimizing the payload.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal