ClawHub

ForkZoo

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it claims, but it needs powerful GitHub access and automatically enables workflows and publishing in the user's account.

Review before installing. Use a dedicated fine-grained or temporary GitHub token limited to the intended pet repository where possible, inspect the forkZoo repositories and their workflows before adoption, and be prepared to disable Actions, disable Pages, revoke the token, or delete the fork when you no longer want the automation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill instructs the agent to run local shell scripts such as ./scripts/adopt.sh and ./scripts/interact.sh, but the skill metadata does not declare corresponding permissions or execution expectations. This creates a trust boundary problem: an agent may invoke shell-capable behavior without clear user consent or sandbox expectations, increasing the risk of unintended local command execution.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script does substantially more than 'adopt' a pet repository: it enables GitHub Actions, triggers a workflow, and configures GitHub Pages on the user's fork. These administrative actions can execute code from the forked repository and publish content, which expands risk beyond the user-visible purpose and is especially sensitive because the script requests a broadly scoped GitHub token.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The script sets repository Actions permissions to allow all actions, which is broader than necessary for a pet-adoption workflow. On a newly forked repository, this can permit arbitrary third-party or unreviewed GitHub Actions to run with repository context, increasing the chance of code execution, secret misuse, or supply-chain abuse.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script's 'interact' operation performs a state-changing GitHub API call by dispatching repository workflows, which is more than a passive pet interaction or status check. In an agent context, this can cause unintended writes, consume Actions minutes, and execute arbitrary repository automation with the user's token-backed authority.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger description is very broad, including generic phrases like pet-related requests, tamagotchi mentions, and 'my pet' queries, which can cause the skill to activate in unrelated conversations. Unintended invocation is dangerous here because the skill can lead to GitHub token handling and shell-script-driven repository actions, so accidental routing expands the chance of sensitive or destructive operations.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The setup instructions ask for a GitHub token with broad repo and workflow scopes and tell the user to store it as GITHUB_TOKEN or in config, but provide no warning about credential sensitivity, least privilege, or secure storage. This is especially risky because workflow scope can modify or trigger GitHub Actions, and repo scope can affect repository contents across the user's account depending on token type.

External Transmission

Medium
Category
Data Exfiltration
Content
# Enable GitHub Actions (they're disabled by default on forks)
echo "⚡ Enabling GitHub Actions..."
curl -s -X PUT \
  -H "Authorization: token $GITHUB_TOKEN" \
  -H "Accept: application/vnd.github.v3+json" \
  "https://api.github.com/repos/$GITHUB_USER/$REPO_NAME/actions/permissions" \
Confidence
94% confidence
Finding
curl -s -X PUT \ -H "Authorization: token $GITHUB_TOKEN" \ -H "Accept: application/vnd.github.v3+json" \ "https://api.github.com/repos/$GITHUB_USER/$REPO_NAME/actions/permissions" \ -d '{"enab

External Transmission

Medium
Category
Data Exfiltration
Content
# Enable GitHub Pages
echo "🌐 Setting up GitHub Pages..."
curl -s -X POST \
  -H "Authorization: token $GITHUB_TOKEN" \
  -H "Accept: application/vnd.github.v3+json" \
  "https://api.github.com/repos/$GITHUB_USER/$REPO_NAME/pages" \
Confidence
83% confidence
Finding
curl -s -X POST \ -H "Authorization: token $GITHUB_TOKEN" \ -H "Accept: application/vnd.github.v3+json" \ "https://api.github.com/repos/$GITHUB_USER/$REPO_NAME/pages" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
curl -s -X PUT \
  -H "Authorization: token $GITHUB_TOKEN" \
  -H "Accept: application/vnd.github.v3+json" \
  "https://api.github.com/repos/$GITHUB_USER/$REPO_NAME/actions/permissions" \
  -d '{"enabled": true, "allowed_actions": "all"}' > /dev/null

# Trigger the genesis workflow if it exists
Confidence
95% confidence
Finding
https://api.github.com/

External Transmission

Medium
Category
Data Exfiltration
Content
curl -s -X POST \
  -H "Authorization: token $GITHUB_TOKEN" \
  -H "Accept: application/vnd.github.v3+json" \
  "https://api.github.com/repos/$GITHUB_USER/$REPO_NAME/actions/workflows/genesis.yml/dispatches" \
  -d '{"ref": "main"}' 2>/dev/null || true

# Enable GitHub Pages
Confidence
92% confidence
Finding
https://api.github.com/

External Transmission

Medium
Category
Data Exfiltration
Content
curl -s -X POST \
  -H "Authorization: token $GITHUB_TOKEN" \
  -H "Accept: application/vnd.github.v3+json" \
  "https://api.github.com/repos/$GITHUB_USER/$REPO_NAME/pages" \
  -d '{"source": {"branch": "main", "path": "/"}}' 2>/dev/null || true

PAGES_URL="https://$GITHUB_USER.github.io/$REPO_NAME/"
Confidence
84% confidence
Finding
https://api.github.com/

External Transmission

Medium
Category
Data Exfiltration
Content
# Try different workflow names
for WORKFLOW in "daily-evolution.yml" "evolve.yml" "daily.yml"; do
  RESPONSE=$(curl -s -o /dev/null -w "%{http_code}" -X POST \
    -H "Authorization: token $GITHUB_TOKEN" \
    -H "Accept: application/vnd.github.v3+json" \
    "https://api.github.com/repos/$GITHUB_USER/$REPO_NAME/actions/workflows/$WORKFLOW/dispatches" \
Confidence
91% confidence
Finding
curl -s -o /dev/null -w "%{http_code}" -X POST \ -H "Authorization: token $GITHUB_TOKEN" \ -H "Accept: application/vnd.github.v3+json" \ "https://api.github.com/repos/$GITHUB_USER/$REPO_NA

External Transmission

Medium
Category
Data Exfiltration
Content
RESPONSE=$(curl -s -o /dev/null -w "%{http_code}" -X POST \
    -H "Authorization: token $GITHUB_TOKEN" \
    -H "Accept: application/vnd.github.v3+json" \
    "https://api.github.com/repos/$GITHUB_USER/$REPO_NAME/actions/workflows/$WORKFLOW/dispatches" \
    -d '{"ref": "main"}' 2>/dev/null)
  
  if [ "$RESPONSE" == "204" ]; then
Confidence
90% confidence
Finding
https://api.github.com/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal