ClawHub

merge-deploy-verify-loop

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only deployment checklist that can guide powerful release actions, but those actions are disclosed, purpose-aligned, and include practical safety checks.

Install this only if you want the agent to help run real merge, deploy, restart, and verification workflows. Before invoking it, confirm the target branch, CI job, Kubernetes namespace, API account, and database environment, and do not use production credentials or production data unless you explicitly approve that scope.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger conditions are broad enough that this skill could activate on loosely related requests and then proceed into high-impact actions such as git push, merge, CI deployment, pod restart, and database validation. In a deployment-oriented skill, overbroad invocation is dangerous because accidental activation can cause unintended changes to shared environments.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly contemplates modifying shared or even production data during verification, but the description does not present an upfront warning, safety boundary, or mandatory confirmation before those actions. Because the workflow includes live deployment and post-deploy testing, this omission increases the chance that destructive or user-visible data changes are performed without informed consent.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal