ClawHub

IPaaS VitePress Content Automation

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real VitePress publishing helper, but it can modify local docs and publish a site over SSH from a broad writing request without a clear approval step.

Install only if you intentionally want an agent to generate VitePress content, update navigation, and publish over SSH. Before use, fix the deploy script path mismatch, use a restricted non-root deploy account, verify `SERVER_IP` and `REMOTE_DIR`, and require manual review plus explicit approval before any write or deployment step.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger condition is broad enough to activate on ordinary documentation or integration-writing requests, while this skill also performs file writes and deployment actions later in the workflow. That combination increases the risk of the agent invoking state-changing behavior when the user may have intended only content drafting, creating a scope-escalation and unintended publication risk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The workflow includes writing project files and executing a shell deployment script, but it does not require an explicit warning or confirmation before making those changes. In practice, this can lead to unauthorized modification of site content or accidental publication to a remote server, especially if the skill is triggered from an ambiguous content-generation request.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal