ClawHub
Back to skill

Security audit

Tribunal Usage

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed usage guide for a developer quality-gate tool; its broad hooks and local logs are expected for that purpose but should be installed deliberately.

Install this only in repositories where you want Tribunal to intercept development activity and write local audit logs. Keep .tribunal/ private or ignored unless you intend to share it, review any external Tribunal plugin packs before installing them, and use MCP access only from trusted local sessions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly documents persistent audit logging of hook events to `.tribunal/audit.jsonl`, including fields such as `file_path`, `agent_id`, and `detail`, but provides no user-facing notice, consent guidance, retention limits, or handling precautions. In an agent workflow, these logs can capture sensitive filenames, operational metadata, and potentially content-derived details, creating a meaningful privacy and data exposure risk if users are unaware or the logs are mishandled.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill states that Tribunal hooks into every file write, test run, and agent interaction, which describes broad monitoring of developer and agent activity without an explicit warning about the scope of interception or its privacy implications. Because this is framed as routine setup guidance, users may enable pervasive monitoring without realizing the extent of collection and enforcement behavior.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal