ClawHub

Github Bounty Finder

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward bounty-scanning CLI, but users should protect the API keys it asks them to store locally.

Install only if you trust the package source and npm dependency chain. Use least-privilege GitHub and Algora credentials, keep .env out of version control, avoid sharing logs or result files that might reveal private issue data, and rotate any token that was accidentally committed or exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README instructs users to store live API credentials in a local .env file but does not warn them to keep that file out of version control or otherwise protect it. This creates a realistic risk of accidental credential disclosure through commits, logs, backups, or shared archives, especially because the document presents the workflow as standard setup guidance.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill instructs users to place long-lived API credentials in a local `.env` file without any guidance on secure handling, exclusion from version control, least-privilege scopes, or rotation. This can lead to accidental token exposure through commits, backups, logs, or shared environments, especially because both GitHub and Algora tokens grant access to external accounts and APIs.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The manifest requires a GitHub Personal Access Token and Algora API key but does not provide any warning about how credentials are stored, transmitted, or used over the network. In a credentialed scanner, lack of disclosure and handling guidance increases the risk of users supplying sensitive tokens to a tool without informed consent or sufficient safeguards.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal