ClawHub

GitHub Extract

Security checks across malware telemetry and agentic risk

Overview

This skill is a mostly coherent GitHub content extractor, but it can fetch arbitrary non-GitHub URLs and save remote content locally despite being presented as GitHub-only.

Review before installing. Use it only with trusted public GitHub URLs, avoid private or internal URLs, and prefer a version that rejects non-GitHub hosts, declares wget explicitly, adds timeouts and size limits, and avoids saving untrusted remote content through wget.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
tmpdir = Path(tempfile.mkdtemp(prefix="gh-extract-"))
    tmpdir.mkdir(parents=True, exist_ok=True)
    # work in tmpdir, let wget decide the file name
    subprocess.run(["wget", "--quiet", url], cwd=tmpdir)
    for path in tmpdir.glob("*"):
        # return the first file
        if path.is_file():
Confidence
93% confidence
Finding
subprocess.run(["wget", "--quiet", url], cwd=tmpdir)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill invokes `uv` and `wget` to fetch remote GitHub content and possibly write it to disk, but it declares no corresponding permissions. This creates a transparency and policy gap: users or orchestrators may not realize the skill can perform network access and shell-like execution, increasing the chance of unintended remote fetches or unsafe automation decisions.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The main flow falls back to the original user URL when GitHub-to-raw conversion fails, so the skill can fetch arbitrary remote content instead of only GitHub content. In an agent environment, this expands scope from a narrow GitHub extractor into a general URL fetcher, enabling SSRF, access to internal metadata endpoints, and retrieval of attacker-controlled data.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Using an external wget subprocess is unnecessary for this skill’s stated purpose and increases risk surface compared with in-process HTTP fetching. It introduces dependency on host tooling and causes untrusted remote content to be written to disk, which is more dangerous in agent/runtime environments where downloaded files may later be processed by other components.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The triggers include broad natural-language phrases like 'Extract content form this github url' and 'Download this github file', which may match user requests unintentionally. Because the skill performs network retrieval and optional file writes, accidental invocation could cause unreviewed downloads or data being saved without clear user intent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill description and notes mention saving to a temp path, but they do not clearly warn users that downloaded remote content may be written to disk. This can surprise users, create persistence of untrusted files, and increase the risk of later misuse if other tools or workflows consume the saved content.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal