ClawHub

Caprover CI Deployments

Security checks across malware telemetry and agentic risk

Overview

This deployment skill is purpose-built, but it can trigger real GitHub and CapRover deployments with stored credentials and too little built-in confirmation or scoping.

Review before installing. Prefer per-app CapRover tokens or webhook URLs instead of a master password, use a least-privilege GitHub token, protect config.json, and require manual confirmation of the app, repo, branch, environment, and deploy strategy before any live deployment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill documents network and shell-capable actions that can trigger real deployments, query GitHub Actions, and invoke the CapRover CLI, yet there is no declared permission model or explicit restriction around those capabilities. In an agent setting, hidden or undeclared side-effectful capabilities increase the risk of unexpected remote actions, credential use, and operational changes without adequate user awareness or policy enforcement.

Vague Triggers

Medium
Confidence
89% confidence
Finding
Broad trigger phrases such as 'deploy X' or 'trigger a deploy of X' can cause unintended invocation of a skill that performs high-impact operational actions. In conversational systems, ambiguous triggers raise the chance of accidental deployments, especially if the assistant interprets casual discussion or quoted text as an action request.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill advertises deployment-triggering behavior without a prominent warning that these actions can change live systems, start CI/CD runs, or deploy code to production-like environments. Because the skill's purpose is operationally sensitive, the lack of explicit user warning and confirmation materially increases the risk of accidental or socially engineered system changes.

External Transmission

Medium
Category
Data Exfiltration
Content
## Strategy 1: GitHub Workflow Dispatch (Recommended)

```bash
curl -X POST \
  -H "Authorization: Bearer $GITHUB_TOKEN" \
  -H "Accept: application/vnd.github+json" \
  https://api.github.com/repos/OWNER/REPO/actions/workflows/deploy.yml/dispatches \
Confidence
94% confidence
Finding
curl -X POST \ -H "Authorization: Bearer $GITHUB_TOKEN" \ -H "Accept: application/vnd.github+json" \ https://api.github.com/repos/OWNER/REPO/actions/workflows/deploy.yml/dispatches \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
Check run status:
```bash
curl -H "Authorization: Bearer $GITHUB_TOKEN" \
  https://api.github.com/repos/OWNER/REPO/actions/runs?per_page=1
```

## Strategy 2: CapRover Webhook Trigger
Confidence
87% confidence
Finding
https://api.github.com/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal