ClawHub

Git-Crypt Backup

Security checks across malware telemetry and agentic risk

Overview

This is a transparent backup skill that pushes user-selected Clawdbot workspace and config repositories to GitHub, with real but expected sensitive-data risks.

Install only if you want Clawdbot workspace and configuration data backed up to GitHub. Use private repositories, verify git-crypt is initialized before the first commit, test encryption from a fresh clone, review `git status` and staged files before enabling cron, and store exported git-crypt keys securely.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The skill advertises automated daily backups to GitHub without clearly foregrounding that local workspace and configuration contents will be transmitted to a remote repository on a schedule. In a backup skill handling config, sessions, credentials, and memory files, insufficient disclosure materially increases the risk of users enabling recurring exfiltration of sensitive local data to a remote destination they may not have fully reviewed.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script automatically stages, commits, and pushes changes from both the workspace and config repositories to a remote without any confirmation, dry-run, or explicit notice at execution time. Even if the stated purpose is backup, this creates a real risk of unintentionally transmitting sensitive local data, secrets, or newly added files to GitHub, especially because it operates on a config directory that may contain credentials or private settings.

Session Persistence

Medium
Category
Rogue Agent
Content
## Setup

### 1. Create GitHub repos (private recommended)

```bash
# Create two private repos on GitHub:
Confidence
81% confidence
Finding
Create GitHub repos (private recommended) ```bash # Create two private repos on GitHub: # - <username>/clawdbot-workspace # - <username>/clawdbot-config ``` ### 2. Initialize git-crypt ```bash # In

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal