ClawHub

review-sendmsg

Security checks across malware telemetry and agentic risk

Overview

This is a code-review skill, but its main instructions under-disclose that bundled helpers can send repository diffs to an external LLM, notify Telegram, clone configured repos, and keep local review state.

Review this as an automated repository-review runner, not just a local Python review checklist. Install or run it only for repositories you are comfortable sharing with the configured LLM provider and Telegram chat, use least-privilege tokens, avoid sensitive/private diffs unless approved, and consider local-only REVIEW_MODE or a trusted self-hosted LLM endpoint.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Tainted flow: 'LLM_API_URL' from os.getenv (line 28, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
retries = int(os.getenv("LLM_MAX_RETRIES", "3"))
    for i in range(retries + 1):
        try:
            r = requests.post(
                LLM_API_URL,
                headers={"Authorization": f"Bearer {LLM_API_KEY}", "Content-Type": "application/json"},
                json=payload,
Confidence
91% confidence
Finding
r = requests.post( LLM_API_URL, headers={"Authorization": f"Bearer {LLM_API_KEY}", "Content-Type": "application/json"}, json=payload,

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
This script sends repository diff content to an external LLM service and also reports outcomes to Telegram, creating a clear external data egress path. In a code-review skill, diffs can contain proprietary code, credentials, infrastructure details, or security fixes, so transmitting them off-platform without disclosure or redaction can cause serious confidentiality and compliance issues.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The full diff text is interpolated into a prompt and transmitted to a third-party LLM API without any notice, consent flow, or content filtering. Because diffs often include sensitive source code and sometimes embedded secrets, this can unintentionally disclose confidential material to an external processor.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script sends review outcomes to Telegram without any user-facing disclosure. Even though the message is shorter than the diff, commit identifiers, file counts, and failure reasons can still reveal operationally sensitive information to an external service.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script transmits repository diffs to an external LLM service and elsewhere sends review results/logs to Telegram, yet there is no visible warning, consent step, or policy gate in this file. In a code-review skill, that is particularly sensitive because diffs can contain credentials, internal endpoints, business logic, and security fixes before release.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The script silently loads credentials from environment variables and immediately uses them for outbound services without any visible disclosure or runtime confirmation. While loading secrets itself is normal, the hidden coupling to external transmission increases the chance of unintended data export and weak operational awareness.

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
python-dotenv>=1.0.1
Confidence
94% confidence
Finding
requests>=2.31.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
python-dotenv>=1.0.1
Confidence
86% confidence
Finding
python-dotenv>=1.0.1

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
97% confidence
Finding
requests

Known Vulnerable Dependency: python-dotenv — 1 advisory(ies): CVE-2026-28684 (python-dotenv: Symlink following in set_key allows arbitrary file overwrite via )

Low
Category
Supply Chain
Confidence
73% confidence
Finding
python-dotenv

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal