ClawHub

YouTrack Project Management

Security checks across malware telemetry and agentic risk

Overview

This is a coherent YouTrack helper that needs careful handling of tokens, write actions, and invoice exports but does not show hidden or malicious behavior.

Use a least-privileged YouTrack token, prefer YOUTRACK_TOKEN over command-line token arguments, verify the instance URL before running scripts, and manually review generated invoices for project scope, dates, rate, rounding, worker names, and internal issue details before sharing them with clients.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill promotes generating client invoices directly from time-tracking data and even suggests saving and printing the output for clients, but it does not warn that billing data is sensitive or that charges should be reviewed before external distribution. In this context, inaccurate rounding, misattributed work items, or inclusion of unintended project data could lead to financial loss, privacy exposure, or client disputes.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script prints full invoice data directly to stdout, which includes project names, issue summaries/descriptions, work item dates, durations, and author names. In a skill whose purpose is to generate invoices from YouTrack time-tracking data, this can expose sensitive operational or personal data to logs, calling systems, or unintended users if output handling is not tightly controlled.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal