Back to skill

Security audit

Ghostclaw Clone

Security checks across malware telemetry and agentic risk

Overview

Ghostclaw looks like a real architecture review tool, but it needs Review because it can execute repo-local plugins, modify or publish repository content, self-update, and run persistent services.

Install only if you trust the publisher and need these automation features. Treat .ghostclaw/plugins in any repository as executable code, avoid the debug console except in trusted local development, review reports before PR creation, use least-privilege GitHub and AI provider tokens, and enable watcher/systemd/update features only deliberately.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (46)

eval() call detected

High
Category
Dangerous Code Execution
Content
return
        try:
            # Evaluate in context
            result = eval(line, globals(), self.ctx)
            if result is not None:
                print(repr(result))
        except Exception as e:
Confidence
99% confidence
Finding
result = eval(line, globals(), self.ctx)

eval() call detected

High
Category
Dangerous Code Execution
Content
print("Usage: /py EXPRESSION")
            return
        try:
            result = eval(arg, globals(), self.ctx)
            if result is not None:
                print(f"\x1b[32m{repr(result)}\x1b[0m")
        except Exception as e:
Confidence
99% confidence
Finding
result = eval(arg, globals(), self.ctx)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
            print("Updating via pip...")
            subprocess.run([sys.executable, "-m", "pip", "install", "--upgrade", "ghostclaw"], check=True)
            print("✅ Updated via pip.")
            return 0
        except subprocess.CalledProcessError as e:
Confidence
88% confidence
Finding
subprocess.run([sys.executable, "-m", "pip", "install", "--upgrade", "ghostclaw"], check=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if is_git:
                print(f"Detected git repository at {package_root}. Pulling latest changes...")
                subprocess.run(["git", "pull"], cwd=package_root, check=True)
                print("✅ Updated via git.")
                subprocess.run([sys.executable, "-m", "pip", "install", "-e", "."], cwd=package_root, check=True)
                return 0
Confidence
91% confidence
Finding
subprocess.run(["git", "pull"], cwd=package_root, check=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print(f"Detected git repository at {package_root}. Pulling latest changes...")
                subprocess.run(["git", "pull"], cwd=package_root, check=True)
                print("✅ Updated via git.")
                subprocess.run([sys.executable, "-m", "pip", "install", "-e", "."], cwd=package_root, check=True)
                return 0

        except Exception as e:
Confidence
95% confidence
Finding
subprocess.run([sys.executable, "-m", "pip", "install", "-e", "."], cwd=package_root, check=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# Add report with force (to bypass gitignore if needed)
            rel_report_path = report_file.relative_to(Path(self.repo_path))
            subprocess.run(["git", "add", "-f", str(rel_report_path)], cwd=self.repo_path, check=True, capture_output=True, text=True)

            # Commit
            subprocess.run(["git", "commit", "-m", f"Add architecture report: {report_file.name}"], cwd=self.repo_path, check=True, capture_output=True, text=True)
Confidence
91% confidence
Finding
subprocess.run(["git", "add", "-f", str(rel_report_path)], cwd=self.repo_path, check=True, capture_output=True, text=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
subprocess.run(["git", "fetch", "origin"], check=True, capture_output=True)

            # Create branch from base (main)
            subprocess.run(["git", "checkout", "-B", branch_name, "origin/main"], check=True, capture_output=True)

            # Copy files into working tree
            for src in files_to_commit:
Confidence
84% confidence
Finding
subprocess.run(["git", "checkout", "-B", branch_name, "origin/main"], check=True, capture_output=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# Stage and commit
            subprocess.run(["git", "add", "-A"], check=True, capture_output=True)
            subprocess.run(["git", "commit", "-m", commit_message], check=True, capture_output=True)

            # Push
            subprocess.run(["git", "push", "-u", "origin", branch_name], check=True, capture_output=True)
Confidence
76% confidence
Finding
subprocess.run(["git", "commit", "-m", commit_message], check=True, capture_output=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
subprocess.run(["git", "commit", "-m", commit_message], check=True, capture_output=True)

            # Push
            subprocess.run(["git", "push", "-u", "origin", branch_name], check=True, capture_output=True)

            os.chdir(old_cwd)
            return True
Confidence
85% confidence
Finding
subprocess.run(["git", "push", "-u", "origin", branch_name], check=True, capture_output=True)

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The documented skill scope centers on architectural review/refactoring, but the symbol index shows autonomous repository-watcher behavior that can clone or pull repositories and create GitHub PRs. This capability expansion is security-relevant because it crosses from analysis into external side effects, increasing the risk of unintended code modification, data exposure, or abuse if invoked with repository credentials or broad automation permissions.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
Plugin management and scaffolding are materially broader than a pure code-review assistant and can enable loading or generating extension code not implied by the manifest. In a skill ecosystem, this increases attack surface by introducing dynamic extensibility, potential untrusted plugin execution paths, and user confusion about what the skill is allowed to install or run.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The documentation explicitly describes discovery and loading of repository-local Python plugins from .ghostclaw/plugins/, which creates an arbitrary code execution extension mechanism in the context of analyzing untrusted repositories. Because Ghostclaw can be invoked as a sub-agent or background watcher, this makes the skill context more dangerous: merely operating on a repository could lead to execution of attacker-supplied Python code if plugin loading is enabled.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
This script installs, enables, and starts a systemd service under /etc/systemd/system using sudo, which creates privileged persistence and background execution beyond a normal code-review/refactoring assistant's stated purpose. Even if intended as convenience tooling, this materially expands the trust boundary and gives the skill a long-lived execution path on the host.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script performs privileged system administration actions such as copying files into /etc/systemd/system, reloading systemd, enabling boot persistence, and starting a daemon. For a skill described as an architectural review/refactoring assistant, these actions are not clearly justified and increase the risk of unintended host modification and persistence.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The analyze command is not purely read-only: it can write report artifacts into the repository and, when requested, trigger remote PR creation. That expands the trust boundary from local analysis to persistent repository and network side effects, which is risky for a tool presented as an analyzer because users may invoke it expecting inspection rather than mutation/exfiltration-like behavior.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
The console advertises direct Python expression evaluation and even accepts bare expressions, which is unrelated to architectural review and materially expands the skill's capabilities into code execution. In the skill context, this is more dangerous because the agent may process untrusted repositories and run as a sub-agent or background watcher, increasing the chance that debug features are exposed in privileged environments.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
Although /config attempts partial redaction, the console also exposes the full context through eval and direct variable inspection, allowing users to read supposedly hidden configuration fields, tokens, file contents, or adapter results. This mismatch makes the sanitization misleading and can cause secret disclosure even when the UI implies data is safe to inspect.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
add_plugin accepts an arbitrary local path and copies its contents into the application's plugin directory, after which initialize_registry/load_external_plugins will discover it. In a plugin system, importing/discovering external plugins commonly results in code execution, so this creates a straightforward path for persistence and execution of attacker-supplied code from an untrusted workspace or local path.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The optional OpenAI backend creates an outbound network path that can transmit repository text to a third-party service, which expands the skill's data exposure beyond local architectural analysis. In a code-review assistant context, inputs may contain proprietary source code, secrets, or internal design details, so adding remote API use without strong gating materially increases privacy and supply-chain risk.

Missing User Warnings

Medium
Confidence
76% confidence
Finding
The README advertises memory search and historical run retrieval features, including matched snippets, without any notice about retention, access controls, or possible exposure of proprietary code fragments. In an agent/MCP context, this increases the risk that sensitive source snippets or architectural details are retained and later surfaced to tools or users who should not see them.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases are broad and subjective, such as when a module 'feels off' or when architectural insight is needed, which increases the chance of unintended invocation in contexts the user did not mean to authorize. In a skill with shell, network, file-write, and PR-creation capabilities, ambiguous routing is more dangerous because accidental activation can lead to scans, report generation, or remote-side effects without clear user intent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill describes automatic PR creation and background monitoring that clones/pulls repositories and may send notifications, but it does not present strong warnings about local writes, network access, authentication use, or remote side effects. In this context, the danger is elevated because the actions affect both local state and third-party systems, potentially exposing private code, consuming credentials like GH_TOKEN, and creating unauthorized changes or notifications.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation encourages use of external AI providers to analyze repository contents but does not clearly warn that code, file contents, or derived findings may be transmitted to third-party services. In a code-review tool, this omission can lead users to unintentionally expose proprietary source code, secrets, or regulated data to external vendors.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The PR creation section states that the tool writes a report to the repository root, commits it, and opens a GitHub PR, but it does not prominently warn about the local write and remote publication consequences. Users may trigger repository modification and publication of analysis artifacts containing sensitive architectural details without fully understanding the side effects.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation instructs users to run an installer that writes a systemd unit into /etc/systemd/system using sudo and immediately enables and starts it, creating persistence and startup side effects without an explicit warning. In a repo skill context, this is risky because users may treat setup docs as routine and not realize they are granting background execution and boot-time persistence.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dynamic_code_execution, suspicious.exposed_secret_literal

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
src/ghostclaw/cli/commands/debug/console.py:62

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
src/ghostclaw/core/adapters/registry.py:136

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
src/ghostclaw/core/llm_client/__init__.py:51