ClawHub

OpenClaw GitHub Assistant

Security checks across malware telemetry and agentic risk

Overview

This is a functional GitHub helper, but it exposes live GitHub write actions with incomplete disclosure and no built-in confirmation guard.

Review before installing. Use a fine-grained GitHub token limited to the repositories and permissions you actually need, avoid broad classic repo scope when possible, and require the agent to show the exact repository, title, body, branches, visibility, and any extra issue fields before creating issues, repositories, or pull requests.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill requires environment-sourced credentials and necessarily performs outbound GitHub API calls, but it does not declare permissions explicitly. That creates a transparency and policy-enforcement gap: users and security controls may not realize the skill can read secrets from env/config and communicate over the network. In a credentialed integration skill, undeclared capabilities are materially risky because they can enable unexpected data access or repository actions.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The documented behavior understates the skill's effective capabilities if it can also create repositories, create pull requests, and fetch metadata for arbitrary owner/repo targets. That mismatch can mislead users into granting tokens or invoking the skill under the assumption it is limited to lower-risk repository queries and issue creation. In a GitHub automation context, hidden write capabilities are especially dangerous because they can alter codebases, create public artifacts, or interact with third-party repositories.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill description says it can query and manage repositories by listing repos, checking CI status, creating issues, searching repos, and viewing recent activity, but the API also exposes createRepo and createPullRequest. This capability mismatch can mislead users or higher-level agents about the actions the skill may take, increasing the risk of unintended state-changing operations such as creating repositories or opening pull requests with authenticated GitHub permissions.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill exposes write-capable actions such as repository creation and pull request creation, while the provided description emphasizes querying and managing repositories in a way that can understate the true degree of modification capability. This can mislead users or higher-level policy systems into granting trust or invoking the skill in contexts where only read-oriented operations were expected.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The exported description says the skill can 'Query and manage GitHub repositories,' which is broad but does not clearly disclose that it can create repositories, issues, and pull requests. In an agent ecosystem, understated capability descriptions are dangerous because routing, trust decisions, and user expectations may rely on metadata rather than deep inspection of every action.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README advertises state-changing operations like creating issues and repositories, but it does not clearly warn users at the point of use that these actions modify remote GitHub resources. In an agent context, insufficient disclosure around write-capable actions increases the risk of unintended repository changes triggered by ambiguous prompts or user misunderstanding.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Saying the skill automatically uses stored credentials for authentication without a corresponding privacy or data-transmission warning can mislead users about when tokens are sent to GitHub and what account context actions will run under. In a credentialed agent integration, lack of transparency increases the chance of unintended authenticated access and unexpected remote actions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This function performs a state-changing authenticated POST to create issues without any visible confirmation, approval gate, or restriction on extra fields supplied by args.extra. In an agent setting, ambiguous prompts or prompt injection elsewhere could cause unintended issue creation in the user's repository using the stored token.

Missing User Warnings

High
Confidence
97% confidence
Finding
This function can create new repositories with the user's authenticated GitHub identity and does so without any visible confirmation or secondary approval. In an agent environment, that creates a meaningful risk of unauthorized asset creation, namespace abuse, accidental exposure through private/public settings, and persistence of attacker-influenced content under the user's account.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This function creates pull requests via authenticated POST without any visible confirmation of the repository, source branch, target branch, or PR content. In the context of an autonomous or semi-autonomous agent, that can be abused to submit unauthorized code changes or spam PRs, especially if upstream instructions or inputs are manipulated.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill exposes state-changing GitHub operations such as creating issues, repositories, and pull requests, but the declaration shows no visible warning, confirmation requirement, or disclosure that these actions can modify remote resources. In an agent setting, this increases the risk of unintended or prompt-induced writes to GitHub, especially because the skill description frames the capability broadly as 'manage GitHub repositories' without highlighting destructive or externally visible effects.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
This file exposes mutating GitHub actions, including repository, issue, and pull-request creation, without any visible confirmation, safety interlock, or warning at the action-definition layer. In an agent-driven environment, that increases the risk of unintended or prompt-induced side effects, especially because these actions can alter external systems and create persistent artifacts.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal