ClawHub

Claude Code × Codex Collaborate

Security checks across malware telemetry and agentic risk

Overview

This looks like a real collaboration automation skill, but it needs Review because it can persist agent hooks, send broad project context to Codex, and rewrite workflow state in ways that may weaken safety pauses.

Install only in repositories where you are comfortable with local automation and Codex receiving project context. Keep loop automation off unless you explicitly want persistent hooks in .claude/settings.json, inspect docs/cccc/context-bundle.md before reviews on sensitive projects, and avoid using doctor/import/reset/repair against untrusted repos or preexisting configs without reviewing them first.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Memory PoisoningPersistent Context Injection, Context Window Stuffing, Memory Manipulation
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (18)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
stop_script = ROOT / ".claude/hooks" / "cccc-stop.sh"
    if stop_script.exists() and os.access(stop_script, os.X_OK):
        try:
            r = subprocess.run(
                ["bash", str(stop_script)],
                input='{"stop_hook_active":false}',
                capture_output=True, text=True, timeout=10,
Confidence
89% confidence
Finding
r = subprocess.run( ["bash", str(stop_script)], input='{"stop_hook_active":false}', capture_output=True, text=True, timeout=10,

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if cli_path:
        record(PASS, f"Codex CLI: {cli_path}")
        try:
            ver = subprocess.run([cli_cmd, "--version"], capture_output=True, text=True, timeout=10)
            if ver.returncode == 0:
                record(PASS, f"  Codex version: {ver.stdout.strip()[:60]}")
            else:
Confidence
86% confidence
Finding
ver = subprocess.run([cli_cmd, "--version"], capture_output=True, text=True, timeout=10)

Tainted flow: 'stop_script' from os.environ.get (line 182, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
stop_script = ROOT / ".claude/hooks" / "cccc-stop.sh"
    if stop_script.exists() and os.access(stop_script, os.X_OK):
        try:
            r = subprocess.run(
                ["bash", str(stop_script)],
                input='{"stop_hook_active":false}',
                capture_output=True, text=True, timeout=10,
Confidence
93% confidence
Finding
r = subprocess.run( ["bash", str(stop_script)], input='{"stop_hook_active":false}', capture_output=True, text=True, timeout=10,

Tainted flow: 'cli_cmd' from os.environ.get (line 240, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
if cli_path:
        record(PASS, f"Codex CLI: {cli_path}")
        try:
            ver = subprocess.run([cli_cmd, "--version"], capture_output=True, text=True, timeout=10)
            if ver.returncode == 0:
                record(PASS, f"  Codex version: {ver.stdout.strip()[:60]}")
            else:
Confidence
90% confidence
Finding
ver = subprocess.run([cli_cmd, "--version"], capture_output=True, text=True, timeout=10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill clearly instructs the agent to read and write project files and execute shell scripts, yet it declares no permissions. That mismatch is dangerous because it hides the true capability surface from users and policy tooling, reducing informed consent and making risky operations harder to audit or constrain.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The embedded Python ignores the supplied state-file argument and always writes to docs/cccc/state.json. In this workflow that can corrupt or desynchronize shared collaboration state, especially if the caller expects a different file or reuses the helper in another context. The skill context makes this more dangerous because state transitions gate whether implementation may proceed or pause for human review.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
This block has two integrity issues: it hardcodes docs/cccc/state.json and misreads positional arguments, so values intended for state path, output file, and review status can be shifted or lost. That can cause incorrect roadmap/status updates, missed human pauses, or false approval/rejection decisions in a milestone gate, which is security-relevant because the script is supposed to enforce adversarial review before implementation.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script unilaterally installs and registers Claude hooks, modifies .claude/settings.json, and enables an automated stop-hook loop mode. That goes beyond passive collaboration orchestration and creates persistent agent-executed behavior in the workspace, which can alter future tool execution and continue actions without an explicit per-run user decision. In a security-sensitive environment, persistence plus automatic continuation increases the blast radius of any hook mistake, misconfiguration, or later compromise of hook scripts.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The script's guidance for PAUSED_FOR_SYSTEM says continuation should require both the recommended strategy and an explicit --confirm, but the actual non-interactive state update logic later resumes based on strategy handling without enforcing that confirmation gate. This creates a policy/implementation mismatch: an automated caller can transition a workflow out of a system-error pause without the explicit acknowledgement the operator-facing text claims is required.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
For SENSITIVE_OPERATION/UNSAFE states, the script warns that explicit confirmation is required and that the safest default is to remain paused, yet the non-interactive logic allows the safe-alternative strategy to clear the pause and set READY_TO_CONTINUE with no confirmation check. In a safety gate, allowing state transition based solely on a strategy string weakens the intended human-in-the-loop control and can permit risky workflows to continue too easily.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This script aggregates broad repository context into docs/cccc/context-bundle.md, including git diff output, status, and previews of untracked files, without any explicit user confirmation, warning, or opt-in gate. Although it attempts to filter some obvious secret and binary patterns, the allow/deny logic is incomplete and can still expose sensitive source, credentials stored under unexpected names, proprietary code, or other local artifacts to downstream review tooling or agents.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The script persists the generated prompt and bundled project context under docs/cccc/runtime and docs/cccc/reviews without any explicit notice or minimization. In a collaboration/review skill, those artifacts may contain sensitive code, plans, or project metadata, creating an avoidable local data exposure and retention risk, especially if the repository is shared or later committed.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The Codex CLI invocation sends the generated prompt and full context bundle to an external tool without an explicit user acknowledgment or visible data-sharing notice. Given this skill's purpose, the bundle may include repository content and planning details; transmitting that externally can leak sensitive information even if the sandbox is read-only, because read-only constrains filesystem writes, not outbound disclosure.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script automatically repairs and rewrites docs/cccc/state.json during the default detect action, with no user confirmation, dry-run mode, or explicit warning. Because the repaired milestone is inferred from loosely parsed markdown files, a malformed or adversarial document can silently alter workflow state and cause the agent to resume work on the wrong milestone or clear pause conditions.

Memory Manipulation

High
Category
Memory Poisoning
Content
| `/cc-codex-collaborate update` | Safe migration after skill upgrade. Syncs config/state fields, commands, enabled hooks. Does NOT overwrite user planning/review history. Does NOT enable hooks if not already enabled. |
| `/cc-codex-collaborate force-update` | Force sync regardless of version number. Same as update but ignores version check. |
| `/cc-codex-collaborate resume` | Resume a paused workflow. Does NOT bypass Codex gates, safety pauses, or secret requirements. |
| `/cc-codex-collaborate reset` / `reset state` | Reset state machine runtime state and rehydrate from docs. Does NOT delete planning docs, reviews, or logs. |
| `/cc-codex-collaborate doctor` | Diagnose installation, config, hooks, Codex, gates, and context. Does NOT modify files. |
| `/cc-codex-collaborate rebuild-context` | Rebuild context-bundle.md for Codex. Does NOT modify milestone status. |
| `/cc-codex-collaborate gates` | Show plan/milestone/final/safety gate status. Does NOT modify files. |
Confidence
81% confidence
Finding
reset state

Memory Manipulation

High
Category
Memory Poisoning
Content
| `/cc-codex-collaborate update` | Safe migration after skill upgrade. Syncs config/state fields, commands, enabled hooks. Does NOT overwrite user planning/review history. Does NOT enable hooks if not already enabled. |
| `/cc-codex-collaborate force-update` | Force sync regardless of version number. Same as update but ignores version check. |
| `/cc-codex-collaborate resume` | Resume a paused workflow. Does NOT bypass Codex gates, safety pauses, or secret requirements. |
| `/cc-codex-collaborate reset` / `reset state` | Reset state machine runtime state and rehydrate from docs. Does NOT delete planning docs, reviews, or logs. |
| `/cc-codex-collaborate doctor` | Diagnose installation, config, hooks, Codex, gates, and context. Does NOT modify files. |
| `/cc-codex-collaborate rebuild-context` | Rebuild context-bundle.md for Codex. Does NOT modify milestone status. |
| `/cc-codex-collaborate gates` | Show plan/milestone/final/safety gate status. Does NOT modify files. |
Confidence
81% confidence
Finding
Reset state

Memory Manipulation

High
Category
Memory Poisoning
Content
## Maintenance commands

### reset / reset state

Reset state machine runtime state. Run `cccc-reset.sh`. Uses `cccc-rehydrate-state.py` to infer current milestone from planning docs, reviews, and git history. Does NOT delete planning docs, reviews, or logs. Always creates backup.
Confidence
89% confidence
Finding
reset state

Memory Manipulation

High
Category
Memory Poisoning
Content
### reset / reset state

Reset state machine runtime state. Run `cccc-reset.sh`. Uses `cccc-rehydrate-state.py` to infer current milestone from planning docs, reviews, and git history. Does NOT delete planning docs, reviews, or logs. Always creates backup.

### doctor
Confidence
89% confidence
Finding
Reset state

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal