ClawHub

Ops Code Review

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real code-review automation skill, but it needs review because it can modify the host and may expose the SVN password during scans.

Install only in a dedicated or containerized environment, avoid running install-deps on production/shared hosts, provision dependencies through trusted pinned packages where possible, use a least-privileged read-only SVN account, and fix the SVN password argv handling before using this in CI, hooks, or multi-user systems.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (8)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if name == "composer":
        return _install_composer()

    result = subprocess.run(
        shlex.split(install_cmd),
        capture_output=True,
        text=True,
Confidence
95% confidence
Finding
result = subprocess.run( shlex.split(install_cmd), capture_output=True, text=True, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# 执行安装程序
    print("[INFO] Running composer installer...")
    result = subprocess.run(
        ["php", installer_path, "--", "--install-dir=/usr/local/bin", "--filename=composer"],
        capture_output=True,
        text=True,
Confidence
98% confidence
Finding
result = subprocess.run( ["php", installer_path, "--", "--install-dir=/usr/local/bin", "--filename=composer"], capture_output=True, text=True, )

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script's CLI behavior attempts to install missing tools automatically when run without arguments, which exceeds the stated role of a code-review/scanning helper and causes unexpected system changes. In a skill context, this is risky because users may invoke a check and instead trigger package installation, network access, and privileged modifications.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This section gives the skill the ability to install system/global packages and to download and execute a remote installer, which is not justified by the declared code-review purpose. The mismatch between stated functionality and actual capability materially raises risk because a review tool should not need broad host-modification and software-bootstrap powers.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script exposes an `install-deps` action that can install missing tools on the host, which is a host-modifying capability beyond passive code review. In a code-review skill, this increases risk because anyone invoking the skill may trigger package installation with system-level side effects, expanding the trust boundary and potentially enabling unintended changes to the environment.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The usage text advertises `install-deps`, and the implementation later imports and runs `install_all()`, meaning the script is not only scanning code but also capable of altering the host system. That mismatch matters in an automation context because operators may grant this tool broader permissions than necessary, and a compromised or buggy dependency installer could change the environment unexpectedly.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The docstring claims passwords avoid command-line exposure, but svn_auth_cmd may append --password directly to the argv list. On many systems, process arguments can be exposed to other local users via process listings or audit tooling, causing credential disclosure.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
run_cmd states that passwords are passed via stdin when provided, but callers may already have included --password in cmd before run_cmd appends --password-from-stdin. This inconsistency can leave secrets exposed in process arguments despite the safer code path, creating a misleading and dangerous false sense of security.

VirusTotal

46/46 vendors flagged this skill as clean.

View on VirusTotal