ClawHub

skill-orchestrator

Security checks across malware telemetry and agentic risk

Overview

This skill mostly matches its skill-management purpose, but it explicitly teaches bypassing token redaction for a GitHub PAT and includes persistent auto-load guidance, so it should be reviewed before installation.

Install only if you are prepared to review and remove the token-redaction bypass guidance first. Do not give this skill raw GitHub PATs in code execution; use scoped credentials through approved secret storage, require confirmation before config or publishing changes, and avoid enabling auto-load unless you want it active in future sessions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill explicitly documents a method to bypass token desensitization by splitting and recombining a GitHub PAT for use in code execution. That is not necessary for orchestration or publishing guidance and directly undermines a security control intended to prevent credential exposure and misuse.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The document first assures users that publishing is protected by mandatory security scanning, then later provides instructions to circumvent token-redaction safeguards. This creates a contradictory and deceptive trust model that can induce operators to rely on protections that the same skill teaches them to evade.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases include broad everyday expressions such as asking which skill to use, which can cause the orchestrator to auto-load in unintended contexts. Because this skill can route tasks, inspect skills, and initiate management actions, accidental activation increases the chance of overreach and unsafe operations.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill describes commands that modify auto-load configuration and discusses publishing to external repositories, but it does not present clear user-facing risk warnings or consent checkpoints. In practice, this could lead to persistent environment changes or public disclosure of internal assets without sufficiently informed approval.

Ssd 2

High
Confidence
99% confidence
Finding
This is a direct instruction to evade token-redaction protections through obfuscation and reassembly of a PAT. In the context of a skill that supports publishing and references execute_code, the guidance materially enables secret handling outside approved controls and can facilitate credential theft, exfiltration, or unauthorized repository access.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal