ClawHub

Github Topics

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it says: fetch GitHub repository rankings and README summaries, with normal cautions around network access and an optional GitHub token.

Install this only if you want live GitHub topic and repository lookups. Avoid setting GH_TOKEN unless you need higher GitHub API rate limits, and use a minimal-scope token if you do. Treat fetched README content as untrusted text to summarize, not instructions for the agent to follow.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill instructs use of network access and environment variables such as `GH_TOKEN`, but the manifest shown in the documentation does not declare corresponding permissions or capability scope. This creates a transparency and governance gap: users and platforms may not realize the skill can access external services and secrets, which increases the risk of unintended data exposure or policy bypass.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The declared purpose is limited to fetching trending/topic repositories, but the documentation expands behavior to README retrieval, repository metadata lookup, raw content fetching, and arbitrary repository detail queries. Description-behavior mismatch is dangerous because it undermines informed consent and can let a skill be invoked for broader network/data-fetching actions than users or reviewers expect.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The documentation broadens the skill from topic-trending discovery to arbitrary repository README summaries and details. That expansion increases the chance the skill will fetch untrusted remote content outside the user’s expectation, which can expose the system to prompt-injection-like content from READMEs or to overbroad network access.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The module docstring describes an AI news daily generator that fetches content and performs analysis, while the declared skill is supposed to fetch GitHub trending repositories by topic. This kind of identity mismatch is dangerous because it undermines trust in the skill’s stated purpose, suggests the packaged code may not correspond to the reviewed capability, and can hide unexpected behavior from users or downstream reviewers.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The manifest advertises a GitHub trending repositories skill, but the module documentation states a different purpose entirely: generating AI news reports from another source and using external analysis. Such a mismatch can conceal unexpected data flows, permissions, or external integrations, making security review and user consent unreliable even if no direct exploit code is visible in this file.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger examples are broad phrases like 'Top 10 GitHub 项目' and '热门仓库', which can overlap with ordinary conversational requests and cause over-activation. Overly broad activation criteria are risky because they may route unrelated user requests into a network-enabled skill without clear intent or consent.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The invocation description is vague enough that the skill could activate for general questions about open source projects, not just GitHub topic trending. Ambiguous activation scope increases the chance of unintended tool use and unnecessary external fetches, especially for a skill with network capability.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal