ClawHub

Chezmoi

Security checks across malware telemetry and agentic risk

Overview

This chezmoi skill mostly matches dotfile-management workflows, but it also installs and launches a Claude Code helper with permission safeguards disabled and weak user-control disclosure.

Install only if you explicitly want this skill to manage chezmoi-driven app configuration and SourceGit/Claude integration. Before using doctor or SourceGit actions, inspect bin/claude-source.sh, remove --dangerously-skip-permissions unless you truly need it, avoid automatic session resume if possible, and do not store secret tokens as plaintext in dotfiles that may sync or be committed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (7)

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The skill metadata and visible documentation present the capability as benign chezmoi/dotfile management, but the referenced behavior includes terminal automation, GUI control via AppleScript, launching Claude Code, session resumption, repository injection, and use of a dangerous skip-permissions flag. That gap is dangerous because it hides higher-risk automation behind an innocuous description, reducing informed user consent and increasing the chance the skill is invoked in contexts where it can perform powerful actions unexpectedly.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
This script is outside the stated chezmoi-focused skill scope and instead launches Claude Code with a resumed session and expanded directory access. That broader session-control behavior increases attack surface because a user invoking a dotfile-management skill may unknowingly grant an AI tool access and continuity beyond the expected task context.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The command includes `--dangerously-skip-permissions --resume`, which disables normal permission safeguards and reattaches to an existing Claude session. Combined with `--add-dir '$REPO'`, this can expose repository contents to a privileged AI session without fresh approval, creating a significant unauthorized access and action risk.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger list includes broad phrases such as "cross platform," "missing script," and "MCP sync," which can match ordinary user requests outside the intended chezmoi workflow. In a skill that may perform file copying, configuration propagation, and other automation, overbroad activation increases the risk of unintended execution and surprise side effects.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script automatically opens Terminal or Tabby and executes the constructed Claude command with no user-facing warning, review, or confirmation. Silent execution is especially risky here because the command uses a dangerous permission-bypass flag and could cause users to initiate a privileged AI session unintentionally from SourceGit.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guidance explicitly suggests converting `${VAR}` references by embedding actual secret values into chezmoi-managed configuration, without warning about storing credentials in dotfiles, templates, or source control. In a dotfile sync context, this can cause accidental credential disclosure across machines, backups, logs, or repositories, especially because the workflow centralizes and propagates configuration broadly.

Session Persistence

Medium
Category
Rogue Agent
Content
# macOS
SCRIPT=~/.claude/skills/chezmoi/bin/claude-source.sh
TARGET=~/bin/claude-source.sh
[[ -f "$TARGET" ]] && echo "OK" || { mkdir -p ~/bin && cp "$SCRIPT" "$TARGET" && chmod +x "$TARGET" && echo "INSTALLED"; }

# Windows (Git Bash)
SCRIPT=~/.claude/skills/chezmoi/bin/claude-source.bat
Confidence
80% confidence
Finding
mkdir -p ~/bin && cp "$SCRIPT" "$TARGET" && chmod +x "$TARGET" && echo "INSTALLED"; } # Windows (Git Bash) SCRIPT=~/.claude

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal