ClawHub

Skill Publish

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly coherent as a publish helper, but it asks an agent to use local GitHub credentials and perform remote publish, update, and delete actions with some unclear safety gates.

Install only if you intend to let this skill publish skill contents externally and update or delete files in a GitHub repository. Before using publish mode, run audit mode first, review the exact file list, confirm the repository and version target, and use a narrowly scoped GitHub token rather than a broad personal token.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The skill contains contradictory instructions: Step 7 says to write fixed content to SKILL.md/README files, while the hard rules say local files must never be modified. In a publish workflow, that ambiguity can cause unintended edits to the user's working copy, violating integrity expectations and potentially altering source content before review.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill instructs reading a GitHub PAT directly from a local token file, which expands the skill's access to sensitive credentials and normalizes file-based secret harvesting. If the skill is compromised or behaves unexpectedly, it could expose or misuse repository write credentials beyond the minimum needed for the stated task.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly advertises a publish pipeline that pushes to ClawHub and GitHub, but the documented workflow does not prominently warn users that local skill contents may be transmitted to external services. In a tool that audits and republishes files, this omission can cause users to publish sensitive or internal content under the assumption that the process is only local cleanup or validation.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README describes a publish workflow that will clean files and push content to ClawHub and GitHub, but it does not clearly warn that local files may be modified and data may be transmitted to external services. In a skill explicitly designed for auditing and publishing, that omission increases the risk of unintended disclosure or accidental destructive changes if a user invokes publish mode without understanding the side effects.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill performs impactful actions—rewriting content, publishing to ClawHub, pushing to GitHub, and deleting files—without a clear upfront warning and explicit user confirmation immediately before those actions. This increases the risk of accidental destructive operations, especially because the workflow blends audit and publish behavior in one skill.

Natural-Language Policy Violations

High
Confidence
90% confidence
Finding
The skill mandates English-only or English-first documentation rules without user opt-in, causing it to alter content based on a hardcoded language policy rather than user requirements. In practice, this can lead to unwanted modification, exclusion, or rejection of valid content solely due to language, which is an unsafe policy constraint in a publishing tool.

Natural-Language Policy Violations

High
Confidence
93% confidence
Finding
The hard rules permanently enforce English-first SKILL.md content without user choice, which is a stronger form of the same unsafe policy behavior. Because this is framed as non-overridable, it can systematically rewrite or block content in ways unrelated to security and contrary to user intent.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal