ClawHub

GitHub Bug Report

Security checks across malware telemetry and agentic risk

Overview

This bug-reporting skill matches its general purpose, but it ships a hardcoded GitHub token and can create or modify public issues, so it needs review before use.

Do not install or run this version as-is. The embedded GitHub token should be revoked and removed, examples should use a user-supplied least-privilege token, and the workflow should require review before posting logs, configs, screenshots, new issues, updates, or follow-up comments to GitHub.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill documents direct network access to GitHub APIs and issue submission workflows, yet no declared permissions are mentioned. Undeclared network capability reduces transparency and prevents proper user or platform review of outbound data handling, especially since issue contents may include logs and configuration data.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill claims to be a bug-report workflow but also includes capabilities to update existing issues and, more seriously, embeds a hardcoded GitHub token. This mismatch hides sensitive authentication behavior from users and reviewers, increasing the chance of unauthorized actions and secret exposure.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The documentation exposes a live-looking GitHub personal access token and instructs users to send it in Authorization headers. Hardcoded credentials in skill content are highly dangerous because anyone with access to the file can reuse the token to read or modify repository data, and the token may be harvested automatically.

Description-Behavior Mismatch

Medium
Confidence
80% confidence
Finding
The manifest frames the skill as reporting bugs, but the instructions also cover modifying existing issues via updates and scheduled bump messages. This broader write capability changes the trust boundary because a user may expect passive reporting, not repeated or automated interactions with an external repository.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The document embeds a GitHub personal access token directly in a curl example. Hardcoded credentials are highly dangerous because anyone with access to the skill can reuse the token to access GitHub APIs with the token owner's permissions, turning documentation into a credential leak.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The same personal access token is exposed again in the issue lookup example, confirming repeated disclosure rather than an isolated mistake. Repetition increases the chance of misuse and signals that sensitive credentials are being normalized in end-user instructions.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The issue creation example includes a live-looking GitHub token in a command that performs authenticated repository writes. This enables unauthorized issue creation and any other API actions permitted by the token, making the exposure especially dangerous because it is tied to state-changing operations.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The update example again exposes the same reusable token in a write-capable GitHub API call. A leaked token in modification workflows can let an attacker alter issue content, spam maintainers, or perform broader actions depending on token scope.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill not only references credential use but directly discloses a GitHub token without any warning about safe handling, storage, or scope. This creates immediate account and repository risk because exposed tokens can be abused for unauthorized API calls and may persist in logs, caches, or forks.

Missing User Warnings

High
Confidence
95% confidence
Finding
The markdown provides authenticated commands that create and modify GitHub issues without warning users that they will perform live repository changes. In context, this is more dangerous because the skill is explicitly designed to submit bug reports, so users may run commands verbatim and unintentionally trigger external write actions with leaked credentials.

Missing User Warnings

Critical
Confidence
99% confidence
Finding
The document exposes a GitHub authorization token across multiple curl commands with no warning about credential sensitivity. This is effectively secret disclosure in operational guidance, and the bug-reporting context makes it worse because the examples are likely to be copied directly by users or agents interacting with an external service.

Missing User Warnings

High
Confidence
100% confidence
Finding
A GitHub personal access token is hardcoded directly in the script and automatically attached to outbound API requests. Anyone with access to this file can reuse the credential to create, modify, search, or potentially perform any other actions allowed by the token's scopes against the repository or associated account.

Ssd 3

Medium
Confidence
91% confidence
Finding
The instructions encourage attaching logs, screenshots, and configuration JSON to a public GitHub issue without any sanitization warning. Such artifacts frequently contain API keys, tokens, usernames, internal paths, or other sensitive operational details, making accidental data exposure likely.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal