ClawHub

Worktree Agents

Security checks across malware telemetry and agentic risk

Overview

This is a real worktree automation skill, but it gives autonomous agents broad repository and GitHub authority with weak safety gates and unsafe credential handling.

Install only in a disposable or well-backed-up repository. Remove the hard-coded model key/proxy, avoid permission-bypass modes, use a dedicated least-privilege GitHub token, inspect diffs before any commit or push, and require human approval before PR creation or merge.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
85% confidence
Finding
The skill clearly instructs shell execution, repository mutation, and network-capable workflows, but does not declare corresponding permissions. This creates a transparency and policy-enforcement gap: a caller may treat it as low-risk metadata while the skill can actually perform impactful local and remote actions.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The stated purpose focuses on local worktree orchestration, but the content also includes sandbox bypass, automatic commits, token handling, pushing branches, and direct PR creation/merge. That mismatch is dangerous because users and policy systems may authorize the skill for a narrower purpose than the behavior it actually enables.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill tells the agent to read a GitHub token from local secret storage and use it for PR creation and merge operations. This exceeds local orchestration and introduces secret access plus remote state changes, which can lead to unauthorized repository actions or token misuse if the workflow is triggered unexpectedly or manipulated.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill includes a hard-coded API key and a custom external inference endpoint, causing model prompts and potentially repository content to be sent to a third party unrelated to the declared local orchestration function. Hard-coded credentials are especially dangerous because they can be reused, leaked, or abused by anyone who can read the skill.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The skill advertises a Claude Code-based workflow but later supports a different Codex execution path with separate network and credential assumptions. This inconsistency can bypass user expectations and safety review, because a seemingly local tool path can silently become a third-party API-backed one.

Vague Triggers

Medium
Confidence
77% confidence
Finding
The activation conditions are broad enough to match normal requests for collaboration or parallel work, increasing the chance that a high-privilege skill runs in contexts where the user did not intend repository mutation, token use, or remote actions. Overbroad triggers are risky here because the skill performs consequential operations beyond simple advice.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill describes reading GitHub credentials and performing PR and merge operations without prominent warnings or explicit user confirmation for irreversible repository changes. In this context, lack of consent and warning materially increases the risk of unauthorized code publication, branch changes, or accidental merges.

Missing User Warnings

High
Confidence
97% confidence
Finding
The documentation recommends running Claude Code with `--dangerously-skip-permissions`, explicitly disabling safety boundaries. In a skill that can edit repositories, invoke shell commands, and access secrets, removing permission checks substantially raises the chance of unintended system modification or abuse.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill contains a hard-coded API key and instructs use of a custom base URL without warning that prompts, code, or secrets may be transmitted to a third party. This combines credential exposure with external data exfiltration risk, making compromise or unauthorized billing/data access highly likely if the file is shared or executed.

Missing User Warnings

High
Confidence
99% confidence
Finding
The script invokes Claude with `--dangerously-skip-permissions`, which disables normal permission safeguards for an LLM operating inside a repository. In this skill's context, that is especially risky because the whole purpose is parallel autonomous code changes across multiple worktrees, so a bad prompt, compromised task input, or model mistake could read, modify, or exfiltrate sensitive project data without any human approval step.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script automatically stages all changes and commits them without explicit user review, which can silently persist unintended, unsafe, or malicious modifications. In a multi-agent orchestration workflow this is more dangerous than usual because several autonomous instances may make broad edits in parallel, making it easier for harmful changes to be committed before a human inspects them.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script forcibly removes an existing worktree and then recursively deletes the target path without any confirmation, dry-run mode, or safety checks on the resolved path. In a multi-agent orchestration context, agent names and base paths may be generated or passed automatically, so a bad path, naming collision, or operator mistake can destroy local data unexpectedly.

External Transmission

Medium
Category
Data Exfiltration
Content
验证通过后通过 GitHub API 合并:

```bash
curl -s -X PUT \
  -H "Authorization: Bearer $GH_TOKEN" \
  -H "Accept: application/vnd.github+json" \
  "https://api.github.com/repos/<owner/repo>/pulls/<pr_number>/merge" \
Confidence
90% confidence
Finding
curl -s -X PUT \ -H "Authorization: Bearer $GH_TOKEN" \ -H "Accept: application/vnd.github+json" \ "https://api.github.com/repos/<owner/repo>/pulls/<pr_number>/merge" \ -d

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal