ClawHub

GitHub PR Automation Pro

Security checks across malware telemetry and agentic risk

Overview

Review recommended: this GitHub PR skill is mostly purpose-aligned, but it can run unsafe shell commands through an authenticated GitHub CLI session.

Install only if you are comfortable reviewing and fixing the shell command handling first. Use a least-privilege GitHub account or token, test in a non-sensitive repository, avoid untrusted PR input values, and do not rely on the advertised auto-merge or batch-review commands unless those missing scripts are supplied and reviewed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill documentation clearly describes use of the GitHub CLI and automation of PR creation, monitoring, review, and merging, which implies outbound network access to GitHub. If the skill does not declare the necessary permissions, users and enforcement layers may not have accurate visibility into what the skill can do, weakening trust and policy controls.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The manifest description is very broad and could cause the skill to be invoked for many generic pull-request tasks, including sensitive repository actions like reviews, approvals, and merges. Over-broad routing increases the chance the skill is selected in situations where the user did not intend to authorize impactful automation.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation advertises auto-merge of ready PRs and batch approval actions without any visible warnings, safeguards, or confirmation requirements. In a GitHub workflow context, these actions can directly change protected branches, bypass human review expectations, or approve many PRs at once, magnifying the impact of misuse or accidental invocation.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal