ClawHub

Git Federation Searcher

Security checks across malware telemetry and agentic risk

Overview

This Git search skill matches its stated purpose, but it needs review because search text can reach a shell command and custom instances/tokens are weakly controlled.

Install only after review or patching. Do not expose the Telegram bot to untrusted users, do not use sensitive API tokens with this version, and only add trusted HTTPS Git instances. The shell=True fallback should be fixed before use in any shared or remotely triggered environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def _detect_type(self, url: str) -> str:
        """Try to detect Git instance type"""
        try:
            result = subprocess.run(
                ["curl", "-s", "-m", "5", f"{url}/api/v1/version"],
                capture_output=True,
                text=True
Confidence
94% confidence
Finding
result = subprocess.run( ["curl", "-s", "-m", "5", f"{url}/api/v1/version"], capture_output=True, text=True )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# Try GitLab
        try:
            result = subprocess.run(
                ["curl", "-s", "-m", "5", f"{url}/api/v4/version"],
                capture_output=True,
                text=True
Confidence
94% confidence
Finding
result = subprocess.run( ["curl", "-s", "-m", "5", f"{url}/api/v4/version"], capture_output=True, text=True )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def _test_instance(self, instance: GitInstance) -> bool:
        """Test if instance is reachable"""
        try:
            result = subprocess.run(
                ["curl", "-s", "-m", "5", "-o", "/dev/null", "-w", "%{http_code}", 
                 f"{instance.url}/api/v1/version"],
                capture_output=True,
Confidence
95% confidence
Finding
result = subprocess.run( ["curl", "-s", "-m", "5", "-o", "/dev/null", "-w", "%{http_code}", f"{instance.url}/api/v1/version"], capture_out

subprocess module call

Medium
Category
Dangerous Code Execution
Content
search_query = f"site:codeberg.org OR site:gitea.com OR site:notabug.org {query}"
            cmd = f'SEARXNG_URL=http://127.0.0.1:8080 python3 /root/.openclaw/workspace/skills/searxng-bangs/scripts/search.py "{search_query}" --num 10'
            
            result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=30)
            
            if result.returncode == 0:
                data = json.loads(result.stdout)
Confidence
99% confidence
Finding
result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=30)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if instance.api_token:
                    url += f"&access_token={instance.api_token}"
                
                result = subprocess.run(
                    ["curl", "-s", "-m", "10", url],
                    capture_output=True,
                    text=True
Confidence
92% confidence
Finding
result = subprocess.run( ["curl", "-s", "-m", "10", url], capture_output=True, text=True )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if instance.api_token:
                    url += f"&private_token={instance.api_token}"
                
                result = subprocess.run(
                    ["curl", "-s", "-m", "10", url],
                    capture_output=True,
                    text=True
Confidence
92% confidence
Finding
result = subprocess.run( ["curl", "-s", "-m", "10", url], capture_output=True, text=True )

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill advertises capabilities that imply file access, shell execution, and outbound network use, but it declares no permissions or trust boundaries. In an agent environment, this prevents users and policy systems from understanding what the skill can do, increasing the risk of silent command execution, data access, or network transmission beyond user expectations.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The manifest requests the 'exec' permission even though the skill's stated purpose is federated Git search over web/API sources. Unnecessary command-execution capability expands the attack surface significantly: if the skill code is compromised, prompt-injected, or simply misused, it could run local system commands unrelated to search and access or modify the host environment.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This fallback search introduces command-execution capability unrelated to a simple search role by invoking a shell with user-controlled input. The skill context makes it especially dangerous because search terms are naturally attacker-influenced and likely to be treated as harmless by users.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
The /gitadd command lets any Telegram user supply an arbitrary URL that the backend will test and later query, creating an SSRF-style network pivot to attacker-controlled or internal endpoints. In a bot context, this is especially risky because it turns a chat command into server-side outbound network access that may reach internal services, cloud metadata, or private Git instances beyond the intended federation targets.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill supports custom private Git instances with API token support, but the description does not warn how credentials are collected, stored, transmitted, or redacted from logs. Because the tool also performs outbound network searches and may support self-hosted endpoints, mishandling tokens or private instance metadata could expose sensitive internal repository information or credentials to untrusted services.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Configured instances, including api_token values, are serialized to a JSON file on disk without encryption, redaction, or clear disclosure. This risks credential exposure to other local users, backups, logs, or any process that can read the workspace directory.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal