Back to skill

Security audit

Project Context Sync

Security checks across malware telemetry and agentic risk

Overview

The skill has sensitive behavior, but it is coherent with its stated purpose and appears documented: it installs a Git post-commit hook and can optionally send repository context to a local Clawdbot gateway for AI summaries.

Install this only in repositories where you want a persistent post-commit hook updating PROJECT_STATE.md. Enable AI summaries only if you trust the local Clawdbot gateway and are comfortable sending commit messages, filenames, branch state, and related repository metadata to it; check whether that gateway forwards prompts to remote models or stores logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The skill documentation states that the script automatically reads a bearer token from a local user config file to authenticate API calls. Even if intended for convenience, automatic credential access expands the skill's privileges and can expose or misuse sensitive auth material if the script is compromised, overly broad, or run in an unexpected context.

Intent-Code Divergence

Low
Confidence
82% confidence
Finding
The security note downplays risk as minimal while the documented behavior includes automatic local token reading and authenticated API use. This kind of reassurance can cause users to enable the feature without adequately considering credential handling, local process exposure, or misuse of authenticated requests.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script’s stated purpose is to update a local PROJECT_STATE.md from git state, but AI mode packages repository metadata, commit messages, changed filenames, and diff statistics into a prompt and sends it over HTTP to a gateway service. Even if the endpoint is localhost, this is still a data-transmission capability that can expose sensitive repository context to another service without being clearly necessary for the core local update function.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The file header describes a simple local git-state updater, but the implementation also includes AI summarization that transmits repository context to a gateway. This mismatch is security-relevant because users may run the script expecting only local file generation, while it can send internal project metadata elsewhere.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The AI summary mode sends repository-derived context to an HTTP API, but the documentation does not clearly warn that commit messages, branch names, changed files, and inferred project state may contain sensitive codebase information. In a post-commit hook, this can happen routinely and implicitly, increasing the chance of unintentional data disclosure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
At the transmission point, the script sends repository-derived content to a local HTTP API without any runtime warning or confirmation. In agent/tooling environments, localhost services may proxy to external systems or be operated by other components, so silent transmission of commit history and file names can leak sensitive development context.

External Transmission

Medium
Category
Data Exfiltration
Content
ESCAPED_PROMPT=$(echo "$PROMPT" | jq -Rs .)
        
        # Call gateway's OpenAI-compatible endpoint
        RESULT=$(curl -s -X POST "$GATEWAY_URL/v1/chat/completions" \
            -H "Authorization: Bearer $GATEWAY_TOKEN" \
            -H "Content-Type: application/json" \
            -H "x-clawdbot-agent-id: main" \
Confidence
96% confidence
Finding
curl -s -X POST "$GATEWAY_URL/v1/chat/completions" \ -H "Authorization: Bearer $GATEWAY_TOKEN" \ -H "Content-Type: application/json" \ -H "x-clawdbot-agent-id: main

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.