ClawHub

Review

Security checks across malware telemetry and agentic risk

Overview

This review skill is mostly a legitimate quality gate, but it can edit and commit project files and affect pipeline state without clear upfront user approval.

Install only if you are comfortable with a review skill that may run local project commands, inspect deployment logs through existing CLI sessions, edit review/planning documentation, create git commits, and influence pipeline flow. Review diffs before accepting its commits, and prefer running it in trusted repositories where these side effects are expected.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill is framed as a review/quality-gate tool, but it instructs the agent to edit spec artifacts and create commits automatically. That expands a read-mostly auditing step into a repository-mutating workflow action, which can silently alter project state, mask review independence, and trigger downstream automation without explicit user consent.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The post-verdict CLAUDE.md rewrite instructs the agent to modify project documentation and commit the change as part of review. This is dangerous because a reviewer should not silently rewrite persistent guidance files; it can introduce prompt/policy drift and unauthorized repository changes under the guise of documentation hygiene.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
On non-SHIP outcomes, the skill appends fix tasks to plan.md, changes status, and commits those changes automatically. This turns a reviewer into a planner/modifier, enabling unauthorized workflow mutation and potentially steering future development without human review.

Context-Inappropriate Capability

Medium
Confidence
80% confidence
Finding
Broad web search is not necessary for a local final code review skill and increases the attack surface for prompt injection, data exfiltration, and dependency on untrusted external content. In this context, external search can import adversarial instructions into what should primarily be a local evidence-based audit.

Intent-Code Divergence

High
Confidence
96% confidence
Finding
The skill states that review only modifies plan.md and never source code, yet elsewhere it directs edits to spec.md and CLAUDE.md. This contradiction is dangerous because it obscures the skill's true side effects, undermines informed consent, and makes users more likely to approve or run unexpected repository mutations.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill directs automatic edits and commits to repository files without clearly warning the user up front that running review will change project state. Hidden write behavior is risky because users may invoke a review expecting read-only analysis, but instead get persistent changes and git history mutations.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Automatic CLAUDE.md editing and committing is not prominently disclosed in the skill's front matter or initial description. This hidden behavior can surprise users, alter agent operating guidance, and create trust issues around what a 'review' action actually does.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Appending tasks to plan.md and committing them on failure outcomes is a hidden repository mutation not clearly disclosed before execution. This can silently reshape project workflow and backlog state, especially if downstream systems consume plan files or commit events.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal