ClawHub

GitHub Passwordless Setup

Security checks across malware telemetry and agentic risk

Overview

This skill has a legitimate GitHub setup purpose, but it asks users to run unpinned remote code and grants broad, long-lived GitHub access with account-changing verification steps.

Review this carefully before installing. Avoid the curl-to-bash quick start, inspect scripts locally, use a fine-grained expiring GitHub token with only needed scopes, avoid delete_repo or admin:org unless specifically required, do not persist PATs in shell startup files, and do not run the repository create/delete verification commands on an important GitHub account.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The guide recommends reading a GitHub token from a local file and exporting it into an environment variable in the user's shell profile, which broadens the token's exposure to child processes, shell history mistakes, crash dumps, and accidental disclosure through debugging or support commands. Even if convenient, this increases the attack surface for a long-lived credential beyond the immediate authentication step.

Intent-Code Divergence

Low
Confidence
88% confidence
Finding
The document's best-practices section advises minimum scopes, but earlier setup guidance normalizes broad scopes such as `repo`, `workflow`, `delete_repo`, and `admin:org`. This inconsistency encourages over-privileged PAT creation, increasing blast radius if the token is exposed.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script performs a real remote side effect by creating and deleting a GitHub repository, which exceeds the stated goal of authentication setup. Even if intended as a verification step, it uses account capabilities unnecessarily and could create audit noise, trigger org policies, or leave artifacts if deletion fails.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Exercising repository management permissions is broader than necessary for a passwordless authentication setup skill. This increases risk because the script validates high-impact write capabilities on the user's GitHub account without strong justification or explicit consent.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The verification script performs state-changing remote operations by creating and deleting a GitHub repository, which goes beyond verifying passwordless authentication. This can cause unintended side effects, consume account resources, trigger org policies/audit events, and fails the principle of least surprise for a 'verify' action.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
Creating a public repository as part of a setup verification is unjustified for the stated purpose and exposes unnecessary external effects. Even if the repo is deleted afterward, it may briefly become visible, generate notifications, appear in audit logs, or fail to delete, leaving an unwanted public artifact.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The README instructs users to execute a remote script directly with `curl ... | bash`, which bypasses inspection, integrity verification, and normal trust checks. In a security-sensitive setup flow that configures authentication, this is especially dangerous because a compromised repository, branch, or network path could immediately execute arbitrary code on the user's machine.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The token setup guidance encourages creating a Personal Access Token and elsewhere promotes non-expiring tokens, but it does not warn users about the risks of long-lived credentials or safe handling practices. A leaked PAT can grant repository and API access, and if configured with broad `repo` scope and no expiration, the compromise can persist for a long time.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The verification command chains repository creation and deletion, including `gh repo delete --yes`, without clearly warning that it performs a destructive action. Users may run it blindly and delete the wrong repository if the name resolution or repository listing does not behave as expected.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README instructs users to execute a remote shell script directly with `curl ... | bash` and later provides a verification command that creates and deletes GitHub repositories, but it does not clearly warn that these commands will execute unreviewed code and modify or destroy remote resources. This is dangerous because users may run the commands blindly, leading to arbitrary code execution on their machine or unintended deletion of GitHub assets under their authenticated account.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill promotes `curl ... | bash` to fetch and immediately execute a remote script with no warning to review or pin the code first. If the upstream repository, branch, hosting path, or network path is compromised, users could execute attacker-controlled code directly on their machines.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The guide suggests storing a GitHub PAT in `GH_TOKEN` and even loading it from a file in shell startup configuration without cautioning about exposure risks. Environment variables are commonly inherited by subprocesses and may be surfaced in logs, debug output, or local compromise scenarios, making credential theft easier.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script silently logs out any existing GitHub CLI session before warning the user, modifying local authentication state unexpectedly. This can disrupt existing workflows, remove access to other accounts, and surprises the user in a security-sensitive context.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The repository creation/deletion test makes undisclosed remote changes to the user's GitHub account. In security-sensitive tooling, performing externally visible account actions without clear prior disclosure and consent is dangerous because it normalizes hidden side effects and may affect compliance, notifications, or org controls.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script performs remote repository creation and deletion without an explicit warning or confirmation, which is unsafe for a verification utility. Users may run it expecting passive checks, but it can modify their GitHub account state and potentially interact with organization policies or leave residual resources if cleanup fails.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal