ClawHub

Deploy

Security checks across malware telemetry and agentic risk

Overview

This deployment skill is coherent and not deceptive, but it can make production, repository, database, and secret changes without strong approval checkpoints.

Install only if you are comfortable with an agent using your existing GitHub and hosting credentials to make live deployment changes. Before running it, require a written action plan and explicit approval for the target repo, branch, remote visibility, hosting project, environment, database migrations, secret changes, and production deploy commands. Review any docs/plan deploy tasks or deploy scripts first, and prefer preview or staging before production.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill explicitly elevates 'active plan' tasks to primary deployment instructions, allowing behavior to expand beyond the declared stack-YAML and known CLI workflow. In a deployment skill with Bash, Write, Edit, and cloud CLIs, that creates a path for arbitrary project-local instructions to trigger sensitive actions such as remote server changes, infrastructure creation, or execution of unreviewed scripts.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Creating a new GitHub repository is a publishing action that exceeds the minimum scope of 'deploy to hosting' and can expose proprietary source code to external services. Because the step is automatic when no remote exists, the skill may publish code and metadata without a clear, separate consent boundary.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The skill first warns not to write real secrets to `.env` files, but then provides a shell pattern that injects secret values directly on the command line via stdin redirection. Command-line and shell-history handling can leak secrets through logs, process inspection, transcripts, or audit trails, especially in agent-mediated execution environments.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This section authorizes automatic `git add`, `git commit`, `git push`, and possibly remote repository creation without a strong user-facing confirmation step. In practice, that can publish unfinished work, secrets, or sensitive code and irreversibly modify repository state and deployment triggers.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The deployment flow includes database migration commands, secret management commands, and cloud deployment commands that can mutate production systems or create billable resources. Because these are framed as routine steps rather than privileged operations needing consent, the skill materially increases the risk of accidental data changes, outages, or unwanted infrastructure spend.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal