ClawHub

GitHub Actions Permission Scope Audit

Security checks across malware telemetry and agentic risk

Overview

This skill is a local GitHub Actions permission audit tool, and the risky workflow it contains is a fixture used to test detection rather than an installed workflow.

Install only if you are comfortable running a local Bash/Python audit over repository workflow files. Keep the workflow glob narrow, review reports before sharing them, and enable FAIL_ON_CRITICAL only when you intentionally want CI or scripts to fail on critical permission findings.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The workflow grants `write-all` token permissions to every job, which is far broader than required for a permission-audit task and violates least privilege. In a GitHub Actions context, excessive write scope can let a compromised or modified workflow write to repository contents, issues, pull requests, or other resources, turning even simple steps into a repository takeover primitive.

Context-Inappropriate Capability

Critical
Confidence
99% confidence
Finding
Using `pull_request_target` causes the workflow to run in the context of the base repository, and combining that with `write-all` gives untrusted pull request activity access to a highly privileged token. For a skill whose stated purpose is only auditing permission scope drift, this combination is unjustified and especially dangerous because it can enable attackers to abuse PR-triggered execution paths to modify repository state, tamper with workflows, or exfiltrate privileged data.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal