ClawHub

Automate Nbm

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly an agent-routing automation template, but it needs review because its scripts can persist an SSH private key and send GitHub or webhook notifications.

Review this before installing in any repository with real secrets. Use a low-privilege GitHub token, avoid setting AUTOMATE_SSH_KEY unless you understand why it is needed, restrict who can apply task/orchestrate labels, and treat webhook targets as capable of receiving task content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
81% confidence
Finding
The skill advertises shell-capable behavior but declares no permissions, which undermines informed consent and sandbox enforcement. In an agent skill, hidden or undeclared command execution increases the risk of unexpected local command execution, filesystem access, or chaining with other capabilities.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose materially differs from the reported behavior: outbound GitHub/API notifications, arbitrary webhooks, SSH key writes, and script execution are sensitive actions not implied by a benign 'agent team' description. This mismatch is dangerous because users may invoke the skill expecting content generation/orchestration while it performs credential handling, network exfiltration, or local system modification.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The auto-dispatch behavior routes tasks based on broad keyword matching and falls back to a default triage agent when no precise match is found. In an agent framework, ambiguous routing can cause tasks containing incidental words to invoke higher-capability or unintended agents, increasing the risk of prompt injection propagation, data overexposure, or unsafe action selection.

Vague Triggers

Medium
Confidence
80% confidence
Finding
Many dispatch keywords are generic terms such as common product, engineering, and support words, which makes accidental or adversarial triggering easier. In a multi-agent system, this weakens routing integrity because an attacker can craft task text to steer execution toward a desired specialist or orchestrator path without needing explicit authorization.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill allows orchestration to be triggered automatically by applying a broad GitHub issue label, without documented restrictions on who can apply the label, what repositories/issues are eligible, or what actions the pipeline may perform. In a multi-agent system that can autonomously decompose work and execute tasks, this creates a meaningful risk of unauthorized or unsafe automation being launched from untrusted issue content.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill describes autonomous end-to-end execution ('run autonomously from a single command' and automatic task advancement) but does not prominently warn users that it may perform consequential actions across multiple agents, tools, or workflows. In this context, the lack of explicit safety boundaries and user acknowledgment increases the chance of unintended code changes, workflow runs, or other impactful operations being initiated without informed consent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script writes SSH private key material from an environment variable directly to ~/.ssh/automate_key on disk. Even with mode 600, persisting secret key material to the filesystem increases exposure through backups, later reuse by other processes, accidental inclusion in artifacts, or compromise of the host account; there is also no cleanup after use.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal