ClawHub

Snyk Vulnerability Scanner

Security checks across malware telemetry and agentic risk

Overview

The skill matches its Snyk/GitHub security-automation purpose, but its documented dry-run mode can still create real GitHub issues.

Install only if you are comfortable with it using your authenticated Snyk and GitHub access to scan repos, create issues, push branches, and open PRs. Do not rely on the full-workflow dry-run mode for issue creation; use scan-only or set skip-issues/skip-fix when testing, and use least-privilege GitHub/Snyk credentials.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill documentation describes use of shell commands, network access, and repository/file operations, but there is no declared permissions model or explicit scoping of those capabilities. In an agent setting, this can lead to over-privileged execution where the agent can clone arbitrary repositories, invoke authenticated CLIs, and modify remote state without clear user consent boundaries.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script makes repository changes, pushes a new branch, and opens a GitHub pull request automatically without a distinct confirmation gate immediately before the destructive remote actions. In an agent/automation context, this increases the risk of unintended changes being published to the wrong repository or branch if inputs are mistaken, manipulated, or the scan produces unsafe fixes.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal