ClawHub

Claude Skill

Security checks across malware telemetry and agentic risk

Overview

This skill openly automates Claude Code, but it encourages permission-bypassing, long-running agents that can edit files, run commands, and publish repository changes without clear approval checkpoints.

Install only if you intentionally want an agent to delegate coding work to Claude Code with broad local and repository authority. Use isolated worktrees or containers, prefer read-only or `acceptEdits` modes, avoid `--dangerously-skip-permissions` on real projects, restrict allowed tools, and manually review commands, diffs, commits, pushes, PRs, MCP access, and notifications before they affect shared systems.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The manifest and body present the skill as a general way to "leverage claude" for coding help, but the documented behavior expands into autonomous repository operations including branch creation, commits, pushes, PR creation, notifications, and cleanup. That mismatch is dangerous because users or orchestrators may invoke the skill expecting bounded assistance while it actually authorizes broad, state-changing actions across local and remote systems.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill instructs the agent to commit changes, push a branch to origin, and create a GitHub PR automatically. Granting autonomous write access to remote repositories is high risk because prompt mistakes, compromised context, or malicious instructions can exfiltrate code, publish unsafe changes, or create unauthorized development activity without human review at the point of action.

Context-Inappropriate Capability

Low
Confidence
91% confidence
Finding
The skill includes an external notification action via `openclaw system event`, which creates an outbound side effect unrelated to core code editing. Even if the payload is simple, external signaling can leak task names, workflow state, or repository activity and can be abused for covert signaling or unintended integration effects.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The examples expand the skill from a code-focused Claude automation helper into unrelated domains like SRE incident response and legal document review. This is dangerous because users may invoke the skill for high-sensitivity tasks the manifest does not justify, increasing the chance of over-privileged tool use, unsafe delegation, and misuse of external systems or sensitive documents.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The Datadog/MCP incident-response example introduces access to monitoring infrastructure and operational diagnostics that are outside the stated code-review/implementation purpose. In practice, this can normalize use of powerful external integrations for production investigation without clear authorization boundaries, potentially exposing logs, secrets, customer data, or enabling unsafe operational actions.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The legal document review/session example extends the skill into legal analysis and persistent multi-turn handling of potentially sensitive contract data, which is unrelated to the declared coding purpose. This can mislead users into processing confidential documents under a skill not designed with appropriate privacy, retention, or domain-specific safeguards.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger text says to use this skill whenever the user asks to leverage Claude or Claude Code for something, which is overly broad. Because the skill performs powerful autonomous actions, broad matching increases the chance of accidental invocation in contexts where the user only wanted advice or analysis, leading to unintended code execution and repository modifications.

Missing User Warnings

High
Confidence
98% confidence
Finding
The description explicitly promotes "non-interactive automation mode" and "without approval prompts," while the body repeatedly recommends `--dangerously-skip-permissions`. That is dangerous because it normalizes bypassing safety interlocks for a skill that can run shell commands, edit repositories, push code, and create PRs, substantially increasing the blast radius of mistakes or adversarial prompts.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The bug-fixing example grants edit-capable permissions and implies autonomous code modification without warning that files will be changed. This is dangerous because users may treat the command as analysis-only and unintentionally authorize source changes, which can introduce damaging edits or broad workspace modifications.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The batch refactor example authorizes broad write/edit operations across the entire codebase without warning about mass changes. That combination is particularly risky because a single prompt can trigger widespread automated modifications, causing large-scale breakage, malicious prompt abuse, or hard-to-review changes if used carelessly.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The multi-turn legal review workflow uses acceptEdits without disclosing that documents or workspace files could be modified during the session. Because the session persists across steps, users may not realize later prompts still carry write capability, increasing the risk of unintended changes to sensitive legal materials or related files.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal