ClawHub

GitHub Chat Assistant (Whatsapp)

Security checks across malware telemetry and agentic risk

Overview

This skill mostly matches its GitHub chat-ops purpose, but it asks for powerful GitHub credentials and adds under-scoped unattended cron automation with long-lived secrets.

Install only if you are comfortable granting the assistant GitHub access. Use a fine-grained, short-lived token limited to one repository and the minimum permissions needed, avoid sharing tokens in retained chat when possible, review all issue/comment/update text before it is posted, delete temporary files after use, and do not enable cron automation unless you have secured the secret, reviewed the script, and know how to revoke the token and disable the job.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The skill’s core workflow says users should share a short-lived PAT during a chat and that it will be discarded, but later adds persistent automation using long-lived secrets in an env file and cron. That contradiction materially expands the trust boundary from ephemeral, user-provided access to durable unattended access, increasing the chance of secret leakage, misuse, and unauthorized repository actions.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The documentation instructs users to send a temporary token in chat and says it will be discarded, but elsewhere directs operators to store long-lived secrets in an env file. This is a real security-design inconsistency that can mislead users about how credentials are handled and result in persistent storage of repository access tokens contrary to the stated model.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill explicitly tells users to send personal access tokens in chat, which exposes secrets through chat history, platform retention, screenshots, message forwarding, and logging. Because the token may have repo or public_repo access, compromise could allow reading private code, opening/modifying issues, and broader repository actions depending on granted scope.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill advises saving raw API responses and caching repository contents under /tmp without addressing that commit metadata, issues, patches, and source files may contain sensitive proprietary or secret material. Local disk caching increases the risk of unintended retention, cross-user exposure on shared systems, and later exfiltration from temporary directories.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The cheatsheet includes ready-to-run examples that create issues, update issue state/assignees, post comments, and write API responses to local files without any guardrails about obtaining explicit user confirmation before making repository changes. In a chat-ops skill for non-technical users, this increases the chance of unintended state-changing actions against a live repository using a user-supplied token.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal