ClawHub

pr-review

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed local code-review auto-fixer that can edit repository files, but no hidden execution, exfiltration, persistence, or destructive behavior was found.

Install this only if you want an agent that may modify files in your repository. Use it on a clean branch or clean working tree, review git diff afterward, and run tests before committing or opening a PR.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill is presented as an audit/review command, but it explicitly instructs the agent to edit files and auto-fix issues scoring >= 80. This creates a dangerous review-to-write escalation: a user invoking a supposedly analytical command may unintentionally authorize code changes, including changes suggested by imperfect model judgments, which can introduce malicious or unsafe modifications into the repository.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The allowed tools include broad Edit and Write capabilities for a command whose stated purpose is to audit existing code. Granting write primitives in an audit context increases the blast radius if the skill is misused, mis-triggered, prompt-injected by repository content, or simply follows faulty analysis and overwrites source files during what should be a low-risk inspection workflow.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly instructs the agent to apply fixes directly to repository files once issues meet a score threshold, but it does not require an explicit warning or confirmation before modifying user code. In a PR review context, this creates a real safety risk because users may invoke what appears to be a review action and unexpectedly receive workspace mutations, potentially altering source files or introducing incorrect changes.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README prominently advertises that the skill will automatically fix issues directly in user code, but it does not present a clear upfront warning that running the skill can modify files and may introduce incorrect or unsafe changes. In a code-review context, users may reasonably expect analysis and reporting, not immediate edits, which increases the risk of unintended code changes being applied without explicit informed consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The `/pre-review` workflow states that issues are fixed directly in code as part of the normal command flow, but it does not clearly warn users before describing file-modifying behavior. Because this command is positioned as a pre-PR review tool, the lack of an explicit modification warning can cause users to invoke it expecting analysis only, leading to silent or unexpected edits in active work branches.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The `/code-audit` documentation describes auto-fixing high-confidence issues during an audit without a clear warning that audit execution can change files. Audits are often expected to be observational, so combining security review with automatic modification increases the chance of accidental code alteration, disruption of investigations, or introduction of flawed fixes into sensitive code paths.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to directly fix high-confidence issues, but the command description frames the operation as code audit/review rather than repository modification. That mismatch can mislead users about the command's side effects and makes unintended source changes more likely, especially in automated or semi-attended review workflows.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs the agent to 'fix issues directly' in the user's code, but it does not provide an upfront warning that files will be modified automatically before analysis begins. In an agent setting, this can cause unexpected code changes, accidental corruption of work in progress, or edits the user did not intend to authorize, especially because the skill also encourages broad automated analysis and direct editing.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal