ClawHub

Github Flow

Security checks across malware telemetry and agentic risk

Overview

This is a coherent GitHub workflow automation skill, but it gives agents broad authority to mutate repositories and some actions are not consistently gated by explicit user confirmation.

Install only if you want an agent to actively manage GitHub issues, PRs, comments, reviewers, dependency relationships, local workflow records, and merges. Before using it, require explicit confirmation for every GitHub write, merge, public comment, branch deletion, issue-body edit, and global cache write, and consider overriding the public-repo Hangul blocking and global Copilot cache behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill instructs the agent to write Copilot rate-limit state into a shared global file under ~/.claude, creating cross-session state outside the repository and outside the immediate PR workflow. This can leak activity metadata across unrelated tasks or repos, allow stale or poisoned state to influence later actions, and violates least-privilege expectations for a PR automation skill.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly instructs the agent to immediately apply GitHub state changes when a chat discussion reaches a priority conclusion, even if the user did not explicitly request the mutation in that turn. This weakens user-consent boundaries and can cause unintended issue/PR metadata changes in a live repository, especially because the trigger is a conversational inference rather than a clear action request.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This section contains authenticated GitHub CLI and GraphQL write operations that can modify repository state, but the skill does not provide a consolidated, user-facing warning that it will access tokens, query repository data, and mutate issues or PR metadata. In an agent setting, that omission increases the risk of silent external side effects, privacy exposure, and unexpected writes to production repositories.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The invocation phrases are broad enough to match ordinary user language like 'merge the PR' or 'merge if CI passed', which increases the chance this high-impact skill is triggered unintentionally. Because the skill can perform irreversible repository actions, accidental activation could cause merges, issue edits, or cleanup steps that the user did not explicitly intend to authorize.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill directs destructive actions after merge, including branch deletion and modifying issue bodies, but does not require a clear user-facing warning or explicit consent for those side effects at execution time. In a repository workflow context, these actions can remove recovery points or alter planning artifacts unexpectedly, creating integrity and auditability risks.

Natural-Language Policy Violations

Medium
Confidence
90% confidence
Finding
The skill hard-codes PR language selection based on repository visibility, with English mandated for public repos and Korean default for private repos unless special exceptions apply. This overrides user preference and may cause unintended disclosure or policy misalignment, especially when language choice affects what content is posted publicly.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases are broad enough to activate on common review-related requests such as 'apply review feedback' or 'address feedback', which can cause this skill to run in contexts the user may not have intended. Because the workflow proceeds to collect checklist items and apply code changes, over-broad activation increases the chance of unintended repository modifications or PR updates.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill directs the agent to write review content to a temp file and post a GitHub PR comment, which modifies external state, without requiring explicit user confirmation at the action point. In an agent setting, this can lead to unintended comment posting, repository spam, disclosure of sensitive analysis, or actions taken on the wrong PR if the invocation is ambiguous.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
Forcing the review comment language based on repository team language without explicit user opt-in can cause miscommunication, user-surprising behavior, and accidental disclosure if the generated text is sent externally in a language the user did not intend. While not a classic memory-corruption issue, it is a policy and control weakness because it overrides user communication preferences during an external action.

Natural-Language Policy Violations

High
Confidence
98% confidence
Finding
The skill enforces an English-only rule by blocking Hangul characters in content destined for public repositories, regardless of user intent or project norms. This creates discriminatory behavior, can suppress legitimate multilingual reporting, and may cause loss or alteration of user-authored content under the guise of sanitization even though Hangul itself is not personal data.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal