ClawHub

Gstack Skills

Security checks across malware telemetry and agentic risk

Overview

This looks like a real development workflow skill, but it can route broad user phrases into code-changing or release workflows without strong upfront consent boundaries.

Install only if you are comfortable with a skill that may inspect git state, save local workflow context, propose or apply code changes, and steer toward release workflows. Prefer explicit slash commands, require confirmation before any edits, merges, pushes, PR creation, or deployment steps, and review or clear .workbuddy/gstack-state if the project contains sensitive plans or code context.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
85% confidence
Finding
The skill advertises broad development workflow capabilities, including QA, review, and shipping, but does not declare permissions despite apparently requiring file read/write access. Undeclared capabilities weaken the trust boundary for users and hosts because the skill may read or modify repository files without explicit authorization or user awareness.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The documented behavior says this skill is a router for specialized workflows, but the detected behavior includes persistent local state management and implicit keyword-based routing of ordinary text. Hidden persistence and non-explicit activation materially expand the skill's authority and can cause unintended data retention, unexpected file operations, or surprise invocation of powerful workflows like review, QA, or ship.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill is presented as a review tool, but the workflow expands into changing repository contents via automatic fixes. That creates a capability mismatch: users may invoke a read/analyze action and unexpectedly grant the agent write access to code, increasing the chance of unreviewed or harmful modifications.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The file contains conflicting instructions: earlier sections authorize automatic fixes, while the safety section says to get confirmation before applying them. In practice, such ambiguity is dangerous because an agent may follow the earlier action-oriented instructions and modify code without informed user consent.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
Saying that a review 'isn't done until issues are addressed' redefines a diagnostic skill into an autonomous code-changing workflow. This pressures the agent to act beyond review and can lead to unsanctioned edits, especially when combined with broad invocation triggers and auto-fix language elsewhere in the skill.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The guidance for activating `/office-hours` includes generic phrases like 'I have an idea' and 'help me think through this,' which overlap with normal conversation. If the router uses those cues implicitly, users may trigger a specialized workflow without intending to, potentially causing context leakage into another skill or initiating actions under the wrong operating mode.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The condition 'User needs guidance' is too ambiguous to safely define when this router should take control. Ambiguous activation criteria increase the chance of over-triggering, which can redirect benign requests into higher-privilege or more action-oriented workflows without clear user intent.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The `/ship` command is described as handling deployment-related actions, including merge, tests, versioning, and PR creation, but the markdown lacks a direct warning that these actions can alter repository and release state. Users may invoke it without understanding the operational consequences, increasing the risk of accidental releases or repository modifications.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrases are broad enough to match ordinary conversation such as 'brainstorm' or 'help me think through this,' which can cause the skill to activate outside its intended product-ideation context. In an agent system, ambiguous routing can override a more appropriate skill, leading to incorrect guidance, unintended data capture into a design document, or workflow confusion.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The usage examples list highly ambiguous phrases like 'I have an idea' and 'is this a good idea?' without restricting domain or intent, making accidental invocation likely. Because this skill can steer the conversation, ask structured questions, and hand off to other skills, broad activation increases the chance of misrouting and unnecessary propagation through downstream workflows.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The invocation phrases are broad enough to match ordinary requests like 'code review' or 'review this PR' without clarifying whether the skill will only analyze or may also edit files. Because this skill includes auto-fix behavior, ambiguous activation increases the risk of unintended execution in sensitive repositories.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Additional examples like 'review my changes' and 'code is about to be merged' are still open-ended and may trigger the skill in contexts where the user only expects commentary. In a tool that may inspect git state and alter files, accidental activation materially raises operational risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill states it performs systematic review with automatic execution before clearly warning that repository files may be modified. This undermines informed consent and makes it more likely that users trigger a write-capable workflow without understanding the consequences.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The router performs implicit keyword-based dispatch to operational skills such as 'ship' based on free-form text, without requiring an explicit command or confirmation. In a workflow suite that includes release, merge, and deployment actions, this can cause users to be routed into higher-risk automation unexpectedly, increasing the chance of unintended code shipping or execution of sensitive workflows.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal