ClawHub

Claude Code Invoke

Security checks across malware telemetry and agentic risk

Overview

This skill is transparent about invoking Claude Code, but it makes permission-skipping the default for local repository tasks.

Install only if you intentionally want an agent to launch Claude Code against local Git repositories. Prefer removing `--dangerously-skip-permissions`, keep normal permission prompts enabled, and use it only in trusted repos with reviewed prompts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill explicitly instructs operators to run `claude -p` with `--dangerously-skip-permissions`, which disables an important safety control and permits the delegated tool to act without interactive approval. Because the prompt content is user-driven and the skill is meant to run against arbitrary Git repositories, this can turn untrusted natural-language input into broad unchecked actions such as code modification, data access, or command execution beyond the narrow stated purpose of a 'single prompt task'.

Missing User Warnings

High
Confidence
99% confidence
Finding
The documentation repeatedly normalizes use of a flag literally named `--dangerously-skip-permissions` without any warning, justification, or compensating safeguards. This increases the likelihood that users will run high-privilege automated actions in sensitive repositories without understanding that they are bypassing approval gates designed to prevent destructive or overbroad behavior.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal