ClawHub

copilot-team-scaffold

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly coherent as an AI-team scaffold, but it installs persistent hooks and memory/session recovery behavior that can carry prior conversation data into future work.

Install only if you want this project to have persistent Copilot hooks that can block agent actions, run local validation commands, and reuse saved planning, lessons, logs, and prior session context. Review or disable the session-catchup script and global memory creation if you handle secrets, client data, or unrelated projects on the same machine.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The stated purpose is scaffolding, but the skill also sets up a broad enforcement and automation framework: lifecycle hooks, tool blocking, validation gates, logging, lesson capture, and cross-session context recovery. That mismatch is security-relevant because users may invoke a setup skill without realizing it installs persistent behavior that can control future agent actions and collect repository/session data.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script derives a path under ~/.claude/projects and reads session JSONL files from that global store, which is outside the scaffolded project workspace. In a SessionStart context, this can pull prior conversation data into the current workflow without explicit user review, creating a real cross-session data exposure risk even though the implementation appears intended for convenience rather than exfiltration.

Ssd 3

Medium
Confidence
90% confidence
Finding
The skill intentionally creates persistent memories, audit logs, and cross-session lesson injection in plain-language files. This can retain sensitive project details, user prompts, validation failures, and operational context longer than expected, increasing the chance of inadvertent disclosure to later sessions, agents, or repository collaborators.

Ssd 3

Medium
Confidence
92% confidence
Finding
The lifecycle explicitly instructs trend analysis, audit recording, lesson injection, completion summaries, and context restoration across sessions. In this scaffold context, that makes the danger more concrete because the feature is not incidental text; it is part of the designed runtime behavior that propagates prior conversational and project data into future executions.

Ssd 3

Medium
Confidence
88% confidence
Finding
Automatically appending validation failures to a lessons file and reloading that file into later sessions creates a feedback loop that can preserve stack traces, file paths, code excerpts, or other sensitive implementation details. Because this content is later injected into context, exposure can spread beyond the original failure event.

Ssd 3

Medium
Confidence
94% confidence
Finding
Cross-project memory files that are automatically loaded every session create persistent context bleed across repositories and engagements. In a scaffolding skill, this is especially risky because it institutionalizes broad retention as a default and may surface project-specific practices or sensitive operational details in unrelated future work.

Ssd 3

Medium
Confidence
97% confidence
Finding
The summary function copies user and assistant content directly from prior session messages and prints it into the new session, only truncating length rather than redacting secrets. This can leak credentials, tokens, personal data, proprietary code, or sensitive instructions from an earlier conversation into a later context where different agents, tools, or logs may now access it.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal