ClawHub

Forge 🔨 Repair-Inspect Loop

Security checks across malware telemetry and agentic risk

Overview

Forge is a coherent code-repair helper, but it grants broad automated repair authority and can run project-local code without a clear approval gate.

Install only if you are comfortable with an automated repair workflow modifying a repository. Use it in a clean branch or disposable checkout, define protected-files.txt for sensitive files, review generated task files and diffs before accepting results, disable or avoid automatic commits unless explicitly desired, and do not run summary/doc-sync behavior on untrusted repositories unless you are willing to execute that repository's scripts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (7)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
checker = workdir / "scripts" / "tools" / "doc-sync-checker.py"
    if checker.exists():
        try:
            result = subprocess.run(
                [sys.executable, str(checker), "--json"],
                capture_output=True, text=True, cwd=str(workdir), timeout=30
            )
Confidence
99% confidence
Finding
result = subprocess.run( [sys.executable, str(checker), "--json"], capture_output=True, text=True, cwd=str(workdir), timeout=30 )

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill clearly instructs the agent to execute shell commands and perform project file reads/writes, but the metadata declares no permissions or capability boundaries. This creates a trust and enforcement gap: a caller may assume the skill is documentation-only or low-privilege when it actually orchestrates code modification, state persistence, and git-affecting actions.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill writes learned 'universal' repair patterns to a shared location under `FORGE_DIR/reflections`, outside the target workdir. That creates a cross-project persistence channel that can exfiltrate sensitive project details into future sessions and lets one repository poison prompts used when repairing another repository.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
This code explicitly discovers and executes `scripts/tools/doc-sync-checker.py` from the repository being analyzed. Because the repository content is potentially adversarial and the skill's purpose is orchestration rather than trusted plugin execution, this introduces unnecessary arbitrary code execution risk during routine summary/check operations.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger conditions are broad enough to activate the repair loop on ordinary user phrasing such as 'fix X' or on generic review findings, which can cause the skill to begin autonomous code modification unexpectedly. In this skill context, that is more dangerous because the protocol also permits repeated automated repair cycles and downstream commits, increasing the chance of unintended repository changes from ambiguous requests.

Missing User Warnings

High
Confidence
96% confidence
Finding
The protocol states that a PASS result leads to an automatic commit, but it does not require a clear user warning or fresh consent before modifying repository state. In a code-repair orchestrator, this is especially risky because commits create durable changes, may trigger CI/CD or downstream automation, and can persist incorrect or unsafe modifications without the user's awareness.

Missing User Warnings

High
Confidence
97% confidence
Finding
The protocol promises automatic FAIL-to-repair looping 'without asking the user,' which allows repeated code changes across multiple rounds without renewed consent or visibility. In this skill, that materially increases risk because autonomous iteration can amplify mistakes, broaden the blast radius of a bad repair strategy, and accumulate repository changes before a human notices.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal