ClawHub

Contextual Git-Committer

Security checks across malware telemetry and agentic risk

Overview

This commit-message helper is not malicious, but it needs review because it reads shell history outside the repository and includes recent commands in AI-facing output without opt-in or redaction.

Install only if you are comfortable with staged diffs, branch and commit metadata, and recent bash/zsh commands being shown to the agent. Avoid using it after typing secrets or sensitive infrastructure commands, or clear/edit shell history first. A safer version would make terminal-history collection opt-in and redact secret-looking values.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill declares no permissions while its documented behavior clearly involves file reads and shell-backed git inspection. That mismatch can bypass user expectations and platform trust controls, especially because repository diffs, commit history, and shell history may contain sensitive information.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill is presented as a commit-message helper, but its behavior expands into reading shell history, git history, branch names, and parsing code context, which materially broadens data exposure. This description-behavior mismatch is dangerous because users may invoke it for a simple writing task without realizing it collects unrelated local context that can reveal secrets, internal commands, or sensitive project details.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The skill reads ~/.bash_history and ~/.zsh_history, but the skill description only mentions staged changes and workspace context. This hidden data collection is security-relevant because shell history may contain secrets, tokens, internal hostnames, and unrelated commands that users would not expect to be harvested for commit-message generation.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
Reading full shell history files is overbroad for the stated purpose of generating commit messages. Even though the code later limits output to recent unique commands, it still loads entire history files into memory and processes unrelated user activity, increasing exposure of sensitive data well beyond what is necessary.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Reading recent shell or terminal history without a prominent privacy warning is a significant privacy and security risk because command history often contains tokens, credentials, internal hostnames, file paths, and operational details. In this skill's context, shell history is not strictly necessary to generate commit messages, making the collection disproportionate and more dangerous.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code silently reads shell history without any warning, prompt, or runtime disclosure to the user. This undermines informed consent and can surprise users by pulling in commands that may contain credentials or operational details unrelated to the repository.

Ssd 3

High
Confidence
99% confidence
Finding
The skill embeds recent terminal history directly into the AI-facing markdown output alongside diffs and commit context. This creates a direct data-exfiltration path for secrets typed at the shell, such as API keys in curl commands, database passwords, tokens in environment exports, private URLs, or sensitive operational commands, especially if the output is sent to an external model or logged elsewhere.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal