ClawHub

Git Hub Projects V2

Security checks across malware telemetry and agentic risk

Overview

This skill is useful for GitHub Projects work, but it also enables broader GitHub write actions and an unpinned third-party CLI extension that are not fully scoped in its main description.

Install only if you are comfortable giving the agent GitHub write authority for the relevant repositories and projects. Review each command before execution, avoid installing the third-party extension unless you trust and pin it, and prefer a GitHub token limited to the specific owner, repo, and project needed for the task.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The changelog documents capabilities to add issue comments and create issues/sub-issues, which expands the skill beyond the declared purpose of listing backlog items and setting project fields. This mismatch can mislead operators and downstream policy systems about what actions the skill may perform, increasing the risk of unintended repository modifications.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
Issue commenting is a write capability that is not clearly necessary for basic GitHub Projects v2 field management. In an agent setting, undocumented comment-posting can be abused for spam, data leakage into issue threads, or unauthorized workflow manipulation through comments.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
Issue and sub-issue creation are broader repository mutation capabilities than the stated project-management purpose implies. If an agent is trusted only to manage project fields, hidden creation features can be used to generate unauthorized tracking artifacts, spam, or manipulate planning workflows.

Scope Creep

High
Confidence
94% confidence
Finding
The documented actions likely require permissions beyond the declared `project` scope, especially for commenting and creating issues or sub-issues. A mismatch between advertised permissions and actual required privileges is dangerous because it obscures the true trust boundary and can lead users to grant broader repository access than expected.

Context-Inappropriate Capability

Medium
Confidence
81% confidence
Finding
The skill instructs installation of a third-party GitHub CLI extension from an external repository, which introduces supply-chain risk and executes code outside the declared project-management scope. In an agent setting, normalizing ad hoc extension installation can lead to unreviewed code execution and broaden trust far beyond the built-in GitHub CLI.

Scope Creep

High
Confidence
92% confidence
Finding
The skill states that `project` scope is required, but later includes issue creation, commenting, extension usage, and GraphQL mutation workflows that likely need broader repository or issue-write permissions. This mismatch undermines least-privilege expectations and can cause an operator or agent to authenticate with more access than the manifest suggests, increasing the blast radius of misuse or mistakes.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill provides write-capable commands that modify project fields, create issues, and post comments without clearly warning that they change remote GitHub state. In an agent-driven environment, lack of explicit mutation warnings increases the risk of accidental writes, unauthorized workflow changes, or surprise side effects on production repositories and project boards.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal