ClawHub

ForkZoo

Security checks across malware telemetry and agentic risk

Overview

ForkZoo is not clearly malicious, but it needs review because adoption uses a powerful GitHub token to fork repositories, enable unrestricted Actions, run workflows, and publish Pages.

Install only if you are comfortable giving the skill GitHub repository and workflow authority. Review the upstream ForkZoo repositories and workflow files first, use the narrowest token possible, and expect adoption to create a fork, enable Actions, run workflows, and publish a GitHub Pages site.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill invokes shell scripts and operational GitHub actions but does not declare corresponding permissions or capabilities in a transparent way. That creates a hidden-execution risk: an agent or user may invoke repository-modifying behavior without realizing the skill can run shell commands and perform account-affecting automation.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented purpose frames the skill as a harmless pet-management feature, but the described behavior includes forking repositories into the user's account, enabling GitHub Actions and Pages, and dispatching workflows using a privileged token. This mismatch is dangerous because it can socially engineer approval for significant account and repository changes under the guise of a novelty feature.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script does substantially more than 'adopt' a pet repository: it enables Actions, dispatches a workflow, and publishes Pages on the user's account. Those are privileged administrative changes that can cause unreviewed code from the forked repository to execute and be publicly hosted, which is risky given the required repo/workflow-scoped token.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Setting GitHub Actions permissions to allowed_actions='all' broadly authorizes all actions in the repository, including third-party or newly added actions, which expands the execution surface unnecessarily. In a freshly forked repo, this can permit untrusted workflow code to run under the user's account context and consume secrets, repository permissions, or automation capabilities.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The script automatically enables GitHub Pages for the forked repository, creating a public hosting surface that is not clearly necessary for adoption itself. If the repository contains unsafe or unexpected web content, it can be published under the user's GitHub Pages domain without a separate review step.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases are broad enough to match ordinary mentions like 'my pet' or general tamagotchi-related conversation, which increases the chance of unintended activation. In this skill, accidental invocation is more serious because activation can lead to shell-script execution and GitHub account modifications rather than a purely informational response.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation states that the skill needs a GitHub token with repo and workflow scopes and will enable workflows, but it does not present this with a strong user-facing warning about the consequences. Because these scopes allow impactful repository operations and workflow execution, users may supply credentials without understanding the security, billing, and persistence implications.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal