ClawHub

Git Assistant

Security checks across malware telemetry and agentic risk

Overview

This AI git helper is mostly transparent, but one changelog path can run unintended local shell commands from crafted git ref names.

Review before installing. Use it only in repositories where sending diffs, commit messages, and git history to EvoLink is acceptable, use a dedicated revocable API key, and avoid changelog --from with untrusted tag or ref names until the eval issue is fixed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill declares no explicit permissions, yet its documented behavior requires environment access, shell execution, and repository/file reads to inspect git state and call an external API. This mismatch weakens the platform trust model because users and policy engines cannot accurately evaluate what the skill can access before running it, especially since staged diffs and git history may contain sensitive code or secrets.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The skill metadata and script behavior do not clearly disclose that repository content, including staged diffs, commit history, branch names, and PR diffs, is sent to a third-party API. This is a real security and privacy issue because users may invoke the tool in sensitive repositories and unknowingly exfiltrate proprietary code or secrets to an external service.

Context-Inappropriate Capability

Low
Confidence
89% confidence
Finding
The review command sends a user-provided commit message to an external API even though the task can be performed locally with deterministic checks. While the data volume is small, commit messages can still reveal internal project names, incident details, customer references, or roadmap information, making the unnecessary network dependency a real privacy issue.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The script transmits git diffs and commit metadata to an external AI API without an explicit warning at the point of use. In this skill's context, that is especially risky because diffs and logs often contain source code, credentials accidentally staged for commit, internal URLs, secrets, and unreleased features.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script sends staged diffs, commit logs, branch names, and other repository metadata to a third-party API for AI generation, but it does not present a clear runtime warning, consent prompt, or redaction step before transmission. In a git assistant context, these inputs can easily contain source code, secrets, internal URLs, credentials, proprietary logic, or sensitive business context, making unintended data exfiltration a real risk.

External Transmission

Medium
Category
Data Exfiltration
Content
" "$native_prompt" "$native_content" "$native_payload" "$model"

  local response
  response=$(curl -sS "$EVOLINK_API" \
    -H "Content-Type: application/json" \
    -H "x-api-key: $api_key" \
    -H "anthropic-version: 2023-06-01" \
Confidence
97% confidence
Finding
curl -sS "$EVOLINK_API" \ -H "Content-Type: application/json" \ -H "x-api-key: $api_key" \ -H "anthropic-version: 2023-06-01" \ -d

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal