Fork Manager

Security checks across malware telemetry and agentic risk

Overview

The visible skill is a purpose-scoped ClawHub PR maintenance guide with expected GitHub workflow authority, and I did not corroborate the supplied high-risk scanner claims in the available artifact files.

Install only if you are a ClawHub maintainer or are intentionally delegating GitHub PR review actions. Review any generated comment, proof publish, label, or close operation before allowing it to run with an authenticated GitHub account.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (4)

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The skill explicitly allows per-repo `postSyncHooks` as shell commands, which expands a fork-management skill into arbitrary command execution driven by repository configuration. Because the config can contain attacker-influenced strings and the hooks run after sync with filesystem and network access, this creates a command-execution path far broader than the manifest suggests.

Intent-Code Divergence

High

Confidence: 96% confidence
Finding: The documentation promises closed PRs are never removed automatically, but `update-config` removes no-longer-open PRs before the interactive `review-closed` step. This can silently discard tracking state and bypass the review workflow intended to protect branches that may need to be kept as local patches or resubmitted.

Ssd 3

Medium

Confidence: 92% confidence
Finding: The orchestrator is instructed to include prior history, repo config, and any user-specific instructions in spawned subagent prompts. That broad prompt propagation can leak secrets, internal paths, tokens accidentally captured in prior logs, or sensitive business context into downstream agents and session histories that do not need full access.

Ssd 3

Medium

Confidence: 94% confidence
Finding: The append-only history requires storing the full user-facing report verbatim, causing sensitive repository state, branch names, patch rationales, local paths, and possibly user instructions to persist and be re-exposed on every subsequent run. This increases the blast radius of any accidental secret disclosure and creates unnecessary long-term retention of operational context.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal