ClawHub

Roster

Security checks across malware telemetry and agentic risk

Overview

This looks like a real roster tool, but it can persistently change employee records and trigger GitHub workflows that send rosters externally with loose confirmation boundaries.

Install only for a trusted roster operator using a private repository and a fine-grained, single-repo GitHub token. Review the target GitHub Actions workflows before use, require explicit confirmations for employee-record changes and email/Telegram delivery, and test with dummy data before production employee data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill's stated purpose is roster generation, but these sections authorize ongoing maintenance of employees.json, including appending notes, adding employees, and changing training status. Expanding from schedule generation into persistent HR master-data modification increases the blast radius and creates a risk of silent data tampering or overcollection beyond user expectations.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
These sections add workflow-triggered PDF delivery and email publication, which are materially different from simple roster generation and GitHub upload. Hidden publication pathways can turn a drafting tool into a distribution mechanism that sends personal data to third parties without sufficiently narrow user intent.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill includes broad employee master-data administration such as adding employees, storing emails, minor status, and updating training state. For a roster-generation skill, this is excessive privilege and increases privacy, integrity, and compliance risk if the agent misparses a message or is prompted into making persistent HR changes.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The documented behavior expands the skill from roster creation into employee-directory retrieval and personnel record modification, including writing changes back to GitHub. That broader capability increases the attack surface and enables unauthorized access to or tampering with personnel data if command authorization and scope controls are weak or absent.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The script explicitly supports sending the generated PDF to a Telegram chat, which expands behavior beyond the declared purpose of creating rosters and pushing them to GitHub. This hidden or under-documented external delivery path can exfiltrate roster data to third-party messaging destinations and increases the attack surface for unauthorized disclosure.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Accepting an arbitrary numeric Telegram chat ID enables the caller to direct generated roster previews to external recipients without any ownership or authorization validation. In the context of staff scheduling data, this can expose sensitive employee availability and shift assignments to unintended parties.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
This script performs full replacement of employees.json in a GitHub repository, which is materially broader than the skill's stated purpose of generating weekly shift rosters from CSV availability data. That mismatch increases risk because it grants a data-modification capability over employee records that could be abused to tamper with staffing metadata, identities, or access-relevant operational data under the guise of roster automation.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script accepts arbitrary JSON from an argument, file, or stdin and replaces the entire employees.json file without enforcing a schema, field-level restrictions, or workflow controls. In a skill intended for roster generation, this creates an unjustified arbitrary overwrite primitive that could silently alter employee data and downstream scheduling behavior.

Vague Triggers

Medium
Confidence
95% confidence
Finding
Treating broad phrases like 'OK', 'Ja', or 'Hochladen' as authorization to upload creates an unsafe intent boundary. In conversational systems, such vague affirmations are easy to utter accidentally or in a different context, leading to unintended repository writes or downstream actions.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The examples for publish and upload rely on everyday language rather than a strict confirmation protocol, which increases the chance of accidental execution of external side effects. Because these actions can write to GitHub and initiate distribution workflows, ambiguous invocation is a real safety issue, not just a UX concern.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This workflow describes modifying stored employee records in GitHub, including training status and notes, without any mention of authorization, validation, audit requirements, or privacy safeguards. In context, this is dangerous because personnel data is being altered through conversational commands, which can lead to unauthorized or incorrect HR-style record changes.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill collects and stores personal data for a newly detected employee, including email address and age-related status, then pushes it to GitHub without any privacy notice, minimization guidance, or access-control discussion. Because this is employee PII, the roster-management context makes mishandling more serious: the system is normalizing collection and repository storage of sensitive personnel attributes through chat interaction.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script makes an authenticated outbound request to GitHub without any user-facing disclosure at runtime, which can be risky in an agent skill because it silently transmits repository metadata and uses a sensitive credential. In an automation context, undisclosed credentialed network access reduces user awareness and makes misuse or unintended data access harder to detect.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The script performs an authenticated remote write to GitHub and may overwrite an existing file on the main branch without any interactive confirmation, dry-run mode, or guardrail. In an agent or automation context, this can cause unintended repository modification and trigger downstream workflows from unreviewed input.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
This script performs a one-shot authenticated network action that dispatches a workflow with real-world side effects, including sending emails, without any confirmation prompt, dry-run mode, or summary of what will happen. In an agent or automation context, this increases the risk of accidental or unintended publication, causing unauthorized notifications or release of roster information to recipients.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal