ClawHub

GitHub PR Manager

Security checks across malware telemetry and agentic risk

Overview

This PR helper has a coherent purpose, but it can keep running and make high-impact GitHub changes using broad credentials without enough clear user control.

Install only if you want an agent to manage PRs with your GitHub identity. Use a fine-grained token limited to the specific repository, require explicit confirmation before pushes, force-pushes, comments, branch deletion, or issue changes, and remove any cron tracking when the PR is closed or merged.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill description is broad enough to overlap with ordinary development and GitHub assistance requests, which can cause the agent to invoke this skill unexpectedly. Because the skill includes repository writes, PR creation, branch tracking, and automated follow-up actions, accidental invocation could trigger unauthorized or surprising changes in a user's GitHub workflow.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document instructs the agent to amend commits and force-push with only minimal caution, but does not clearly warn about history rewriting, branch divergence, or the risk of overwriting collaborators' work. In a PR-management skill that performs ongoing automated actions, this makes destructive repository operations more dangerous because they may be executed routinely or without sufficiently informed user approval.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The workflow explicitly instructs rewriting Git history and force-pushing a branch, but does not warn about the risks of overwriting collaborators' work, invalidating review context, or disrupting branch protections. In a PR-management skill that automates repository operations, this omission is materially risky because users may execute it routinely during CI/DCO remediation without understanding the consequences.

Credential Access

High
Category
Privilege Escalation
Content
### Token 权限

需要以下权限的 GitHub Personal Access Token:
- `repo` - 访问仓库代码
- `workflow` - 访问 Actions
- `read:org` - 读取组织信息
Confidence
87% confidence
Finding
Access Token

Tool Parameter Abuse

High
Category
Tool Misuse
Content
```bash
cd <repo-path>
git commit --amend --signoff --no-edit
git push --force-with-lease origin <branch>
```

### 3. Review 意见处理
Confidence
96% confidence
Finding
git push --force

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal