ClawHub

tick-md

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed local task-coordination helper; it can change project task files, but the reviewed behavior fits its stated purpose.

Install only if you trust the tick-md and tick-mcp-server npm packages and want agents to manage a project TICK.md file. Keep the file under version control, avoid putting secrets in task comments, require explicit approval for MCP config changes and git pushes, and ask agents to confirm before deletes, force deletes, direct edits, or non-dry-run undo.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (6)

Vague Triggers

Medium
Confidence
84% confidence
Finding
The skill instructs the agent to automatically create and manage tasks from ordinary natural-language requests, which makes tool invocation overly broad and easy to trigger without a clear confirmation boundary. In practice, benign user requests like 'refactor the auth' could cause unreviewed writes to TICK.md and related state changes, increasing the risk of unintended modifications and action creep.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documented `tick delete TASK-001` command is a destructive operation, but the skill provides no warning, confirmation requirement, or recovery guidance at the point of use. That omission makes accidental or socially engineered deletion more likely, especially because the skill otherwise encourages the agent to operate transparently on the user's behalf.

Missing User Warnings

High
Confidence
96% confidence
Finding
The `tick delete TASK-001 --force` example advertises an irreversible, dependency-breaking operation without any adjacent warning or approval requirement. Because force deletion bypasses normal safeguards and may remove tasks with dependents, it can corrupt coordination state, erase auditability, and cause cascading workflow errors if triggered accidentally or through prompt manipulation.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation exposes a destructive deletion capability, including a force option that can remove tasks even when dependents exist, but provides no warning, confirmation guidance, or discussion of irreversible workflow damage. In an agent-facing skill, this materially increases the chance that an automated agent will invoke deletion casually and corrupt project state or coordination history.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The tick_edit tool is explicitly described as bypassing state machine validation, which means an agent can directly alter status and dependency fields without integrity checks. In a coordination system, this can create inconsistent or fraudulent task state, bypass workflow controls, and undermine trust in automation-driven project management.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The undo operation reverts the most recent tick commit, which is a repository-changing action with potentially broad side effects, yet the documentation presents it as routine recovery without warning about rollback scope or concurrency risks. An agent could unintentionally revert another actor's work or alter repository history in a shared environment.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal