ClawHub

Skill Publisher

Security checks across malware telemetry and agentic risk

Overview

This publishing skill matches its stated purpose, but it ships with unsafe credential handling and under-scoped external publishing behavior that should be reviewed before use.

Review and remove the hardcoded GitHub token and local path before installing or running this skill, rotate the exposed token if it belongs to you, and only use the publisher after confirming the target repository, account, visibility, files to upload, and ClawHub slug. Prefer gh CLI or a secure credential manager; do not let the skill parse or reuse tokens embedded in git remotes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The document explicitly instructs extracting a GitHub token from existing git remotes, which is credential harvesting behavior. Even in a publishing skill, reusing secrets by scraping them from remotes bypasses normal consent and secret-handling boundaries, and could expose or misuse long-lived credentials beyond the intended repository.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The release notes assert that a security audit found no credentials or local paths, but this same script contains both a hardcoded GitHub token and a hardcoded local filesystem path. That contradiction is dangerous because it can mislead reviewers and users into trusting and running code that already exposes secrets and environment details.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The README promotes a bare one-word trigger, "publish," to initiate a workflow that can create repositories, push content to GitHub, and publish to ClawHub. Ambiguous activators increase the chance of accidental invocation during ordinary conversation, which is risky because the skill performs external, state-changing actions.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger guidance lists highly generic commands like "publish," "new," "update," and "iterate" without requiring a skill-specific object or target. In agent environments, these common words are likely to appear in unrelated requests, which can cause unintended activation of a workflow that modifies repos and transmits data externally.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README advertises automated pushing to GitHub and ClawHub, including a REST API fallback, but does not clearly warn users that local project contents and metadata may be transmitted to third-party services. This omission can lead users to invoke the skill without understanding that sensitive material could leave the local environment if scanning is incomplete or misconfigured.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases are broad enough to overlap with ordinary requests like '发布', '更新', or '迭代', which can cause the publishing workflow to activate when the user did not explicitly intend to push content to GitHub or ClawHub. In this skill, accidental activation is more dangerous than usual because the described workflow can perform remote publication and fallback uploads to external services.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README emphasizes one-click publishing and fallback upload mechanisms but does not prominently warn users that content may be pushed to remote services or uploaded through alternate channels if the primary push fails. In a publishing skill, this omission materially increases the risk of unintended data exfiltration, accidental disclosure of private content, or user surprise about where files are being sent.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The mode detection relies on generic words like '发布', '新建', '更新', and 'publish', which can appear in ordinary conversation outside the intended repository-publishing context. Overbroad activation can cause the skill to enter a workflow that generates files, bumps versions, or prepares publication when the user did not intend to trigger those actions.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger list contains broad phrases like '新建仓库' and 'publish skill' without requiring enough context to distinguish skill publishing from general repository work. In an agent environment, ambiguous triggers increase the risk of the wrong skill being invoked and performing sensitive repository operations on unintended targets.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The skill describes publishing and updating repositories but does not prominently warn that it may modify files, create releases, push commits, or publish to external platforms. Users may not understand the scope of side effects, which is especially risky for a tool with network and repository-write semantics.

Missing User Warnings

High
Confidence
99% confidence
Finding
The instructions expose a concrete technique for discovering GitHub tokens in remote URLs without any warning that these are sensitive credentials. In a skill whose job is publishing, this is especially dangerous because it normalizes secret extraction as part of workflow automation and increases the chance of unauthorized reuse or disclosure.

Missing User Warnings

High
Confidence
100% confidence
Finding
A GitHub personal access token is hardcoded directly in the script and then used in authenticated API requests. Anyone who obtains the file can reuse the token to act as the account within the token's scope, leading to repository compromise, unauthorized changes, data access, or destructive actions.

Ssd 3

High
Confidence
95% confidence
Finding
The instruction to extract a token from existing `git remote -v` is dangerous because remotes may embed credentials in URLs, causing the agent to read, expose, or reuse stored secrets outside intended handling paths. This creates a real credential theft and leakage risk, especially if the agent later logs, summarizes, or republishes the extracted value.

Ssd 3

High
Confidence
99% confidence
Finding
Describing how to extract and reuse a GitHub token from git remotes creates an unsafe secret-handling pattern. If followed by an agent or user, it could lead to unauthorized access to repositories, account actions, or leakage of credentials through logs, prompts, or downstream commands.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal