ClawHub

contract-doc-sync

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed local documentation-sync skill that reads repository context and edits whitelisted docs files, with an explicit warning for optional cloud-LLM semantic review.

Install only if you are comfortable with the agent reading repository source, docs, build files, and AGENTS-style files to update documentation. For sensitive repositories, use L0/L1 or set DOC_SYNC_SKIP_D10=true before L3, and require explicit approval before any non-doc file such as AGENTS.md is changed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (10)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill states there are no network requests, yet L3/D10 explicitly permits sending code and documentation content to a cloud LLM provider. This creates a real confidentiality risk because users may invoke the skill expecting strictly local processing while sensitive repository contents are exfiltrated to an external service.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The skill states there are no network requests, yet L3/D10 explicitly permits sending code and documentation content to a cloud LLM provider. This creates a real confidentiality risk because users may invoke the skill expecting strictly local processing while sensitive repository contents are exfiltrated to an external service.

Scope Creep

High
Confidence
95% confidence
Finding
The documented process scans many project files outside docs/, including source code, configs, build manifests, AGENTS rules, and repository metadata, contradicting the advertised docs-only constraint. This broader read surface is dangerous because it can expose secrets, proprietary logic, or sensitive instructions to the agent and, in L3, potentially to external providers.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Cloud LLM semantic analysis is unjustified relative to the advertised local-only doc-sync function and materially changes the trust boundary. Because D10 involves reading code fragments and docs for semantic comparison, it can leak sensitive business logic, credentials in code/comments, or regulated data to a third party if enabled.

Scope Creep

High
Confidence
97% confidence
Finding
The skill documentation instructs the agent to enumerate and read repository files outside the declared docs/ Markdown write/read scope, including AGENTS.md, CLAUDE.md, build files, changelogs, and even a skill-local file under $HOME. That expands data access beyond the user-visible contract and can expose unrelated secrets, internal rules, or local environment information during a routine 'doc sync' operation.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The published skill description promises operation limited to local scripts and docs/ Markdown files, but the environment-probing instructions direct broad repository discovery and metadata inspection. This mismatch is dangerous because users and policy systems may authorize the skill under a narrower trust model than its actual behavior, enabling overbroad file access under false expectations.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Reading AI rule files, build metadata, and the installed skill directory exceeds the minimum necessary access for synchronizing Markdown documentation in most cases. Even without exfiltration, this broadens local data exposure and increases the chance that sensitive instructions, project structure, or environment details influence or leak through generated output.

Scope Creep

Medium
Confidence
92% confidence
Finding
The L3 workflow explicitly instructs the skill to read and validate AGENTS.md and OpenSpec files, which expands behavior beyond the stated docs-only/local-doc-sync scope. That scope creep can expose unrelated repository content to the agent and violates least-privilege expectations, especially when users invoke a documentation sync tool expecting it to stay within docs/ targets.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The procedure adds broader repository-audit tasks such as cross-document reference validation and OpenSpec intent checks, which go beyond simple code-to-doc synchronization. In an agent setting, undocumented expansion of analysis scope increases the chance of over-collection, unexpected file access, and user surprise about what the tool inspects.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger conditions are broad and include common development lifecycle events like completing coding, preparing a PR, releasing, or refactoring, not just explicit user requests. In agent ecosystems with auto-suggestion or automatic invocation, this can cause the skill to run unexpectedly, increasing the chance of unreviewed file access, edits, or remote LLM use.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal