ClawHub

Ghostclaw

Security checks across malware telemetry and agentic risk

Overview

Ghostclaw mostly fits an architecture-review tool, but it also includes self-updating and broad background automation that can modify local installs and GitHub state without strong safeguards.

Review this skill carefully before installing. Use it only on repositories you intend it to read, avoid --update, keep hook or cron modes disabled unless you explicitly want background scans, run watcher mode with --dry-run first, and do not enable --create-pr or provide GitHub tokens unless they are least-privilege and limited to the intended repositories.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (13)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# Fallback to pip update
    try:
        print("Updating via pip...")
        subprocess.run([sys.executable, "-m", "pip", "install", "--upgrade", "ghostclaw"], check=True)
        print("✅ Updated via pip.")
    except subprocess.CalledProcessError as e:
        print(f"❌ Failed to update via pip: {e}", file=sys.stderr)
Confidence
97% confidence
Finding
subprocess.run([sys.executable, "-m", "pip", "install", "--upgrade", "ghostclaw"], check=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if is_git:
            print(f"Detected git repository at {package_root}. Pulling latest changes...")
            subprocess.run(["git", "pull"], cwd=package_root, check=True)
            print("✅ Updated via git.")
            # Also run pip install . to ensure dependencies are updated if pyproject.toml changed
            subprocess.run([sys.executable, "-m", "pip", "install", "-e", "."], cwd=package_root, check=True)
Confidence
96% confidence
Finding
subprocess.run(["git", "pull"], cwd=package_root, check=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
subprocess.run(["git", "pull"], cwd=package_root, check=True)
            print("✅ Updated via git.")
            # Also run pip install . to ensure dependencies are updated if pyproject.toml changed
            subprocess.run([sys.executable, "-m", "pip", "install", "-e", "."], cwd=package_root, check=True)
            return

    except Exception as e:
Confidence
97% confidence
Finding
subprocess.run([sys.executable, "-m", "pip", "install", "-e", "."], cwd=package_root, check=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill advertises capabilities to read/write files, access environment variables, and invoke shell commands, but does not declare permissions or clearly constrain those actions. This creates a trust and authorization gap where an agent or operator may invoke repository-modifying or token-using behavior without realizing the full access required.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
A self-update capability that executes git and pip operations is outside the core architectural-analysis purpose and enables the tool to modify itself and its environment. In an agent skill, that creates unnecessary supply-chain and persistence risk because a normal invocation surface includes code download and installation behavior.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The watcher accepts entries from a user-supplied repos file and treats existing local filesystem paths as repositories, copying their contents into the working directory. That broadens the tool from remote repo monitoring into arbitrary local file collection, which can expose sensitive source trees or private data if the repos file is attacker-influenced or misconfigured.

Intent-Code Divergence

Low
Confidence
80% confidence
Finding
The code comment suggests local path handling is only for testing, but the production CLI executes that behavior for any repos-file entry. This mismatch can cause operators to trust the tool's scope incorrectly, making accidental local data ingestion more likely.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger conditions are broad and subjective, such as when code "feels off" or a repository needs "vibe health monitoring," which can cause the skill to be invoked in contexts the user did not intend. Because the skill can write reports and potentially open PRs, accidental invocation can lead to unnecessary codebase changes or automated actions on sensitive repositories.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The ad-hoc review mode states that it will auto-generate a report in the repository root and can automatically create a GitHub PR, but the description does not prominently warn that the skill may modify the repository or external GitHub state. Users may expect passive analysis and instead trigger writes or PR creation, especially if integrated into larger automated agent flows.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The background watcher is described as cloning or pulling repositories, opening PRs, and sending notifications automatically, but lacks a clear safety warning about those autonomous external and repository-modifying actions. In a cron context, this is more dangerous because the operations can recur unattended across multiple repositories, amplifying the chance of unintended changes or token misuse.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The hook is configured to react to generic `command` and `system` events without documented scoping, filtering, or rate limits. In a background skill that analyzes repositories and may take follow-on actions, broad triggers increase the chance of unintended execution, excessive repository access, and surprise automation beyond what a user reasonably expects.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The file states the hook can 'proactively open PRs' in the background but does not present a strong warning, approval flow, or default-safe behavior around this repository-modifying capability. Automatic PR creation can change project state, create noise, or be abused to introduce unwanted changes if triggered too broadly or on untrusted repositories.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The self-update path performs repository and package modifications without a strong warning about changing the local installation and dependencies. This increases the chance of unsafe operator use and makes silent environment drift or malicious upstream changes more likely to be applied inadvertently.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal