ClawHub
Back to skill

Security audit

Engineering manager 1-on-1 meeting brief generator

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it gathers scoped GitHub activity, optionally packages bounded PR discussion excerpts, and writes local brief artifacts for a user-managed LLM step.

Before installing, use a GitHub token with the narrowest access that still works, set GITHUB_ORG to limit scope when possible, and treat .pullstar artifacts as sensitive because they may contain private repo activity and PR discussion excerpts. Review llm_input before sending it to an AI provider, especially when --pr-insights is enabled.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code serializes and persists the full LLM input payload to disk, including engineer identifiers and bounded raw PR review/comment excerpts. In this skill's context, those excerpts can contain internal code-review discussion, project details, or sensitive employee-performance signals, so writing them to a local file creates a durable data-exposure surface beyond the immediate model call. The lack of disclosure or consent at the write site increases the risk of unexpected retention and downstream access by other users, tools, backups, or logs.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The ingester writes collected GitHub activity to a local JSON file, including review and comment excerpts that may contain sensitive internal engineering context, links, or accidental secrets from PR discussions. Because this happens by default with no explicit consent prompt, encryption, or restrictive file-permission handling, the data can be exposed to other local users, backup systems, or downstream tools.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal