ClawHub

Release Tracker

Security checks across malware telemetry and agentic risk

Overview

This skill coherently tracks GitHub releases and posts summaries, with disclosed scheduling and chat-delivery behavior, though users should configure it carefully.

Install this only if you want release monitoring that may run on a schedule. Use a least-privileged GitHub login, start with text output or a private channel, verify every outputChannel before enabling Discord/Telegram/Slack posting, and avoid the local CHANGELOG fallback unless you explicitly approve the exact file path.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to read a local file path under /opt/homebrew/lib/node_modules/<package>/CHANGELOG.md when GitHub release notes are sparse. That expands the skill from remote GitHub metadata retrieval into local filesystem access based on a package variable, which is broader than necessary and could expose unrelated local data or normalize unsafe file reads in automated runs.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases are broad enough to match common requests like checking for updates or release notes, which can cause the skill to activate in contexts the user did not specifically intend. Because this skill can read config/state files and send messages externally, overbroad invocation increases the chance of unintended side effects from an ambiguous prompt.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill directs creation and updating of local config/state files and later delivery of summaries to Discord, Telegram, or Slack, but it does not require a user-facing warning or confirmation at the time those side effects occur. In practice this can lead to silent persistence and exfiltration of repository-derived content to external channels without clear consent, especially when used with cron automation.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal