ClawHub

Gstack Openclaw Skills

Security checks across malware telemetry and agentic risk

Overview

This is a development automation skill bundle, but it should be reviewed carefully because it can guide an agent to edit code, push changes, create PRs, and deploy from broad prompts without consistent approval boundaries.

Install only if you want an agentic development workflow that may modify your repository and interact with git remotes. Use explicit commands, prefer dry-run or report-only modes, inspect diffs before applying fixes, and require separate confirmation before commits, pushes, PR creation, or production deployment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (72)

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The README presents contradictory safety semantics: one section says /review and /qa only suggest fixes by default, while many earlier examples describe fixes as already applied and deployment as completed automatically. For an agent skill that can modify code or trigger release workflows, this mismatch can cause users to grant trust or invoke actions under false assumptions about whether changes are merely suggested or actually executed.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The document gives contradictory safety expectations: earlier sections say /review and /qa can apply fixes automatically, while the FAQ says they only suggest fixes by default and do not automatically modify code. This mismatch can cause users to invoke commands under false assumptions, leading to unintended code changes in local repositories or CI environments.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The FAQ claims all operations are local and code is never uploaded, but the same guide documents external integrations such as issue submission, PR creation, CI/CD interaction, and production deployment. Users may disclose code or trigger remote actions based on inaccurate assurances, creating confidentiality and change-management risk.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The skill contains conflicting instructions: the safety section requires user confirmation before automatic fixes, but the workflow and examples describe fixes being applied automatically. In an agent setting, this ambiguity can lead to unintended code modifications or repository-state changes without clear consent, especially if the executor follows the earlier operational steps instead of the later safeguard.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The skill is presented as a review tool, but later states that the task is not complete until issues are fixed, effectively expanding it into an editing tool. That mismatch weakens user expectations and consent boundaries, making it more likely the agent will modify code when the user only requested analysis.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The manifest advertises analysis and feedback, but the documented behavior includes automatically modifying code and applying fixes. This is a capability disclosure failure: users and orchestrators may invoke the skill expecting read-only review, while it can perform write operations that alter source files and potentially git state.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The guide presents `/ship` as an automatic workflow that merges branches, creates commits, pushes to remotes, and opens PRs, but does not clearly foreground that these are repository-modifying and remote side-effecting actions before encouraging use. In an agent setting, normalizing these actions through examples increases the chance a user triggers irreversible or production-impacting operations without informed confirmation.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The `/review` examples state that 'auto-fixes' are applied to source code without clearly warning that files may be modified as part of review. In an autonomous assistant context, this can lead users to invoke what sounds like read-only analysis but actually changes code, creating integrity and trust risks.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The guide explicitly teaches natural-language triggers such as 'deploy this to production' as equivalent to `/ship`, while omitting warnings about the destructive or production-impacting consequences. This makes accidental activation more likely because ordinary conversational phrasing can be interpreted as authorization for deployment and remote repository mutation.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
该文档面向 AI 助手的对话式操作,直接展示“部署到生产环境”“补丁发布”“自动修复”等高影响动作的成功流程,却没有要求二次确认、环境校验、回滚提示或风险声明。对于会据文档塑造行为边界的代理来说,这会降低执行门槛,增加误部署、误修复、错误发布到生产环境的概率。

Missing User Warnings

Low
Confidence
76% confidence
Finding
定时任务示例允许代理自动执行代码审查并发送邮件通知,但未说明权限范围、通知对象确认、频率限制或如何停用任务。对具备自动化能力的 AI 助手而言,这可能导致未经充分授权的持续执行和对外通知,带来信息泄露、噪声通知或资源滥用风险。

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The example shows `/ship` performing repository-modifying actions such as merging, committing, pushing to remote, and creating a pull request without any explicit confirmation, warning, or approval gate. In an agent-skill context, examples strongly shape expected behavior, so this can normalize unsafe automation and lead users or downstream implementations to execute destructive or irreversible actions unintentionally.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The documentation states that broad natural-language requests such as 'review my code' or 'deploy to production' will trigger skill execution, but it does not define strict activation boundaries, confirmation steps, or disambiguation rules. In an agent environment, overly permissive triggers can cause unintended execution of powerful actions from casual conversation, quoted text, or ambiguous prompts.

Vague Triggers

Medium
Confidence
97% confidence
Finding
The phrase 'Please install gstack-skills for me' is a very generic natural-language trigger for a system-modifying action. If the platform routes such requests automatically, normal conversational text could initiate repository cloning and local file installation without sufficiently deliberate user intent.

Missing User Warnings

High
Confidence
98% confidence
Finding
This section describes automatic cloning, platform detection, copying files into skill directories, and verification as if they occur directly from a conversational request, but it provides no warning, approval gate, or trust validation. That creates a clear risk of silent local-system modification and unreviewed installation of remote content.

Missing User Warnings

High
Confidence
96% confidence
Finding
The documentation promotes '/ship' as automated deployment and presents production release as a routine conversational action without any warning about environment impact, approval requirements, rollback planning, or credential sensitivity. In a real agent workflow, this can normalize unsafe deployment behavior and lead to unintended or premature production changes.

Missing User Warnings

High
Confidence
99% confidence
Finding
The chained example '/review → /qa → /ship' culminates in deployment as part of an automatic sequence and explicitly says 'I'll do it all for you,' with no pause for review before production release. This increases the chance that a user intending convenience will accidentally authorize deployment, or that ambiguous parsing of conversational text will trigger a full end-to-end pipeline.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document explicitly describes the review workflow as finding issues and then 'applying fixes' automatically, but it does not mention any confirmation step, dry-run mode, or warning that user code may be modified. In an agent skill context, silent code mutation can introduce unintended changes, overwrite user work, or normalize unsafe autonomous behavior without informed consent.

Missing User Warnings

High
Confidence
97% confidence
Finding
The deployment workflow includes high-impact repository actions such as merging, updating versions, creating commits, pushing to remote, and creating pull requests, yet the documentation presents them as automatic steps without user approval checkpoints. In a skill system, these actions can alter source control state and publish changes externally, making accidental or unsafe execution materially dangerous.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Claiming that workflows execute automatically with 'no manual intervention required' encourages fully autonomous operation without warning users about system-impacting behavior. This increases the likelihood that users invoke the skill without realizing it may change code, repository state, or other project artifacts on their behalf.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The guide explicitly instructs users to execute installer scripts and shell commands that clone a repository, change directories, set executable permissions, and copy files into platform skill directories, but it does not warn that these actions alter the local environment or recommend reviewing the scripts first. In an AI-skill context, encouraging one-click execution increases the chance that users will run unreviewed code or make persistent system changes without understanding the trust boundary.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The usage examples normalize autonomous actions such as applying code fixes, changing configuration, stashing or merging git state, and deploying to production, yet they do not include strong cautions that these commands may modify source code, repositories, runtime settings, or live systems. In this skill's context, that is more dangerous because the documented commands are framed as routine assistant operations, which can cause users to over-trust destructive or high-impact automation.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The quickstart says natural language like 'review my code' or 'deploy to production' can trigger skill actions, which creates ambiguity between casual conversation and high-impact command execution. In an assistant platform, overly broad invocation phrases can cause unintended reviews, modifications, or release workflows to start without the user's explicit informed intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The deployment example presents automated release behavior as a normal one-step interaction and shows actions like merging branches, updating versions, and creating PRs without any warning, approval step, or scope limitation. In a development assistant context, this can normalize destructive or production-impacting behavior and increase the chance of accidental deployment or repository state changes.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code review and QA examples imply the assistant can automatically fix issues and bugs, with phrases like 'Auto-fixes Applied' and 'Test and fix bugs,' but they do not warn that local files, branches, or generated patches may be modified. This is dangerous because users may invoke what sounds like analysis-only tooling and unintentionally authorize code changes in their workspace.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal