ClawHub

workspace-git-sync

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do its advertised workspace-to-Git backup job, but it can delete files in a chosen repository and push workspace contents to a remote without a confirmation or dry-run step.

Use only with a dedicated private backup repository after checking the target path, branch, and remote URL. Review the workspace for secrets before running, and avoid force_sync unless you intentionally need to rewrite the remote branch history.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill describes and enables shell execution and file-writing behavior but does not declare corresponding permissions. This creates a transparency and policy-enforcement gap: a caller or platform may not realize the skill can modify repositories, delete files during sync, and run Git commands with the user's credentials.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill exposes a `force_sync` path that performs `git push --force-with-lease`, allowing remote history to be rewritten. For a backup/sync skill, this is unnecessarily dangerous because it can discard collaborators' commits or destroy recovery history if the target repo is shared or misselected.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The implementation deletes nearly everything in the target repository before copying the workspace, which means using the tool on the wrong repo can wipe unrelated tracked and untracked content. In the context of a skill that accepts an arbitrary local repo path, this broad destructive behavior materially increases the chance of irreversible data loss and accidental corruption.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README describes a sync flow that includes cleaning old files and copying new ones, but it does not clearly warn users that files in the target repository may be deleted or overwritten. In a backup/sync skill that operates on a user-supplied repository and performs automated git actions, this omission can lead to accidental data loss or destructive updates, especially if the target repo contains unrelated files.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documented workflow includes cleaning the target directory before copying workspace contents, but the description does not clearly warn that existing files in the target repository will be deleted. This is dangerous because users may point the skill at a non-dedicated repository and suffer destructive data loss before realizing the sync is not additive.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill is designed to commit and push the entire workspace to a Git repository, potentially including sensitive files, prompts, tokens, notes, or proprietary data, yet it lacks an explicit privacy warning. Because push may send data to a remote configured in the target repo, users could unintentionally exfiltrate confidential workspace contents to external services.

Missing User Warnings

High
Confidence
99% confidence
Finding
The script performs destructive deletion of target repository contents without any confirmation prompt, dry-run, or explicit acknowledgment of what will be removed. Because the target path is user-supplied and the repository may contain unrelated content, this creates a serious accidental data-loss risk even absent malicious intent.

Missing User Warnings

High
Confidence
98% confidence
Finding
The force-sync path can rewrite remote branch history without a separate confirmation or strong pre-action warning. In a backup-oriented skill, allowing one call path to alter shared remote history greatly amplifies the consequences of misconfiguration or prompt-driven misuse.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal