ClawHub

PublishGuard — Post Verification & Credential Manager

Security checks across malware telemetry and agentic risk

Overview

PublishGuard has a legitimate post-verification purpose, but it can store publishing tokens in plaintext while claiming credentials are never stored that way.

Review before installing if you plan to store real API keys or tokens. The post-verification workflow is useful, but do not rely on the encrypted-vault promise unless the default plaintext CredentialStore is replaced or disabled. Use low-privilege, revocable tokens, avoid shared or backed-up workspaces, and check/delete any publish_guard_creds.json files after testing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (8)

Intent-Code Divergence

Medium
Confidence
78% confidence
Finding
The documentation makes strong security guarantees about secure deletion of plaintext credentials and machine-bound encrypted storage without providing any verifiable implementation details in the skill file. Users may rely on these assurances and handle secrets less cautiously, creating a real security risk if plaintext copies remain recoverable or the protection is weaker than claimed.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The credential store persists platform authentication data as plaintext JSON on disk while describing the location as a secure vault. Any local user, compromised process, backup system, or accidental file disclosure can recover bearer tokens or other secrets and use them to impersonate the agent on external platforms. In this skill's context, the issue is more dangerous because the whole feature is explicitly designed to retain reusable publishing credentials across sessions.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The module advertises AES-256-CBC/Fernet-compatible encryption, but the code actually implements a custom HMAC-derived stream cipher and custom file format. Misrepresenting cryptographic guarantees is dangerous because operators and downstream code may rely on interoperability or security properties that are not actually provided, increasing the chance of insecure deployment and failed audits.

Intent-Code Divergence

Low
Confidence
89% confidence
Finding
The documentation claims machine binding is derived from a MAC address hash, but the implementation only uses hostname, username, home directory, and workspace path. This creates a false sense of device binding strength and may cause users to overestimate how hard it is to reproduce the fingerprint on another system with similar environment values.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill encourages persistent storage of API keys and tokens but does not present clear user-facing warnings about the risks of storing long-lived credentials on disk. This can lead users to place sensitive platform credentials into the tool without understanding exposure, retention, backup, or compromise implications.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documented audit trail writes publishing activity and verification data to disk without warning that URLs, timestamps, platform names, and possibly content identifiers may be sensitive. In shared or monitored environments, these logs could leak operational details, account activity, or private publication metadata.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code silently writes sensitive platform auth data to a persistent local file without any explicit warning, consent flow, or visibility to the user. This increases the chance that operators unknowingly leave long-lived tokens on disk, which can later be stolen, copied into logs/backups, or persist beyond the intended session boundary.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The migration function overwrites and deletes the original plaintext credential file automatically, with no confirmation, backup, or recovery path. In a credential-management context this is risky because a failed or partial migration can destroy the only copy of sensitive operational secrets, causing outages and unrecoverable data loss.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal