ClawHub

Git Hooks Manager

Security checks across malware telemetry and agentic risk

Overview

This appears to be a Git hook management skill, but it can install executable Git hooks from imported JSON, which creates persistent code execution in a repository.

Install only if you intentionally want this skill to create and manage Git hooks. Review any imported hook configuration before use, because those hooks can run commands automatically during future Git operations. Prefer trusted configs, pin dependencies, and remove unwanted hooks from .git/hooks if you no longer need them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (5)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
`import_config` reads hook script contents from a JSON file and installs them directly into `.git/hooks`, making them executable on Unix via `install()`. Because Git hooks execute automatically during developer workflows, importing an untrusted config can silently establish persistent arbitrary code execution in the local repository context.

Unpinned Dependencies

Low
Category
Supply Chain
Content
click>=8.0.0
colorama>=0.4.6
pytest>=7.0.0
Confidence
93% confidence
Finding
click>=8.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
click>=8.0.0
colorama>=0.4.6
pytest>=7.0.0
Confidence
93% confidence
Finding
colorama>=0.4.6

Unpinned Dependencies

Low
Category
Supply Chain
Content
click>=8.0.0
colorama>=0.4.6
pytest>=7.0.0
Confidence
95% confidence
Finding
pytest>=7.0.0

Known Vulnerable Dependency: pytest — 1 advisory(ies): CVE-2025-71176 (pytest has vulnerable tmpdir handling)

Low
Category
Supply Chain
Confidence
72% confidence
Finding
pytest

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal