ClawHub

cross-ref

Security checks across malware telemetry and agentic risk

Overview

The skill has a legitimate repository-maintenance purpose, but it includes bulk GitHub write actions with automation framed around avoiding abuse detection.

Review before installing if you will run it on repositories where your GitHub account can write. Use plan mode first, inspect every proposed comment/label/close action manually, prefer least-privileged credentials, and avoid using the bulk posting behavior to disguise automation or bypass platform protections.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill clearly instructs reading and writing workspace files and invoking shell/gh-based workflows, but no explicit permission declaration is present. That creates a capability/expectation gap: a caller or platform may treat the skill as low-risk while it can access environment data and persist artifacts, which is dangerous if reused in broader contexts or granted implicit trust.

Description-Behavior Mismatch

Medium
Confidence
82% confidence
Finding
Although the skill says it starts in report-only mode, it also contains fully specified write operations for commenting, labeling, and closing PRs/issues. In agent settings where user intent is inferred loosely or state is mishandled, these embedded action paths increase the chance of accidental repository modification despite the supposed dry-run default.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The README says the skill activates automatically from broad natural-language cues like 'find related PRs' or 'link issues and PRs,' which increases the chance of unintended invocation on the wrong repository or with unsafe defaults. In a tool that can later perform bulk commenting, labeling, or closing actions, ambiguous activation materially raises the risk of accidental high-impact operations.

Natural-Language Policy Violations

High
Confidence
98% confidence
Finding
The README explicitly states that posting behavior is designed 'to not trigger GitHub's abuse detection,' which is an instruction to evade platform safety controls rather than simply comply with rate limits. Evasion guidance is dangerous because it enables higher-volume automated actions while reducing visibility to protective systems intended to stop spam or abusive automation.

Vague Triggers

Medium
Confidence
76% confidence
Finding
The trigger language is broad enough to match many routine repository-maintenance requests, which can cause the skill to activate in contexts where the user did not intend large-scale analysis or potential follow-on write actions. Because this skill can eventually comment, label, and close items, overbroad invocation increases the risk of surprising or excessive repository operations.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script performs write actions against GitHub by posting comments without any interactive confirmation, dry-run gate, or equivalent explicit approval check in the script itself. In a skill designed to operate across many PRs/issues, this increases the risk of unintended mass commenting, repository spam, and irreversible workflow disruption if upstream approval data or inputs are wrong.

Natural-Language Policy Violations

High
Confidence
96% confidence
Finding
The script explicitly describes making API activity appear 'organic-looking' through jitter, breathing pauses, and backoff, which indicates intent to disguise automation rather than merely rate-limit safely. In the context of bulk GitHub commenting, this can help evade platform anti-abuse detection and enables stealthy large-scale manipulation or spam campaigns.

Ssd 4

Medium
Confidence
95% confidence
Finding
Framing anti-detection mechanics as ordinary rate limiting normalizes stealthy automation and may encourage operators to believe the behavior is acceptable. In context, the skill is capable of mass commenting and repository hygiene actions, so hiding automation patterns increases the potential for spam, manipulative repo activity, or policy-violating bot behavior.

Ssd 4

Medium
Confidence
96% confidence
Finding
The rate-limit section gives concrete tactics—jitter, breathing pauses, and backoff tuned around detection patterns—for making automated posting appear less detectable. That goes beyond responsible throttling and provides operational guidance for evading anti-abuse systems, which could be repurposed for spam or large-scale manipulative commenting across repositories.

Ssd 4

Medium
Confidence
94% confidence
Finding
The staged jitter and 'breathing pauses' are not just normal retry behavior; they are designed to mimic human usage patterns during bulk comment posting. That makes the automation more dangerous in this skill context because the skill can act across many PRs/issues, turning repository maintenance tooling into a mechanism for covert mass outreach, spam, or abuse-evasion.

Unrestricted Tool Access

Medium
Category
Excessive Agency
Content
- The **complete** PR index (compact, ~60KB) — for duplicate detection
- The existing references map (so it skips already-linked items)

**Spawn subagents using the Task tool:**

```
For each batch B of {batch_size} PRs:
Confidence
88% confidence
Finding
tool:*

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal