ClawHub

GitHub Token

Security checks across malware telemetry and agentic risk

Overview

This GitHub helper is mostly purpose-aligned, but it needs review because it handles powerful GitHub tokens unsafely and can publish all local changes without a clear review step.

Install only if you are comfortable giving the agent a GitHub token that can read or modify repositories within its scopes. Use a fine-grained, short-lived PAT limited to the specific repository, avoid storing it in TOOLS.md, revoke it when done, and manually review git status and diffs before allowing any commit or push.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# Stage all changes
    print("📦 Staging changes...")
    subprocess.run(["git", "add", "-A"])
    
    # Commit
    print(f"💾 Committing: {message}")
Confidence
89% confidence
Finding
subprocess.run(["git", "add", "-A"])

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# Push
    print(f"🚀 Pushing to {branch}...")
    if use_url:
        result = subprocess.run(
            ["git", "push", "-u", auth_url, branch],
            capture_output=True, text=True
        )
Confidence
98% confidence
Finding
result = subprocess.run( ["git", "push", "-u", auth_url, branch], capture_output=True, text=True )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
else:
        # Try setting upstream
        if use_url:
            result = subprocess.run(
                ["git", "push", "--set-upstream", auth_url, branch],
                capture_output=True, text=True
            )
Confidence
98% confidence
Finding
result = subprocess.run( ["git", "push", "--set-upstream", auth_url, branch], capture_output=True, text=True )

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs users to store a GitHub PAT in TOOLS.md, a plain file, without prominent warnings about credential leakage, accidental commits, logging exposure, or local file compromise. Persisting long-lived credentials in documentation or workspace files materially increases the risk of token theft and subsequent repository compromise.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The clone workflow writes to disk and authenticates by embedding the PAT in the HTTPS URL. In this skill context, users may trust the tool with sensitive repository access; putting the token in the clone URL can leak it through process inspection, git remote configuration, or accidental logging while also causing unreviewed filesystem changes.

Missing User Warnings

High
Confidence
99% confidence
Finding
This workflow automatically stages all changes, commits them, and pushes them to a remote, with token-bearing URL injection in some cases and no explicit review or approval step. In an agent skill, that creates a real risk of exfiltrating secrets or unrelated files and publishing unintended changes to a remote repository under the user's credentials.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal