Security audit

openclaw-gitcode-pr-monitor

Security checks across malware telemetry and agentic risk

Overview

The skill does what it says, but it can run unattended, use a GitCode token, post AI review comments, and send full review reports to chat services without enough guardrails.

Install only if you intend to run unattended PR review automation. Use a dedicated least-privilege GitCode token, restrict repositories and chat targets, avoid sensitive/private repos unless external sharing is approved, and consider adding a manual approval or dry-run step before posting comments or sending full report attachments.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill advertises and documents shell-based automation but does not declare corresponding permissions, which creates a transparency and trust gap for anyone installing or reviewing it. In a skill that polls repos, runs commands, posts comments, and sends notifications, undeclared execution capability can hide meaningful operational and data-handling risk even if the behavior is intended.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation states that PRs will be reviewed, commented on, and notifications sent through OpenClaw Gateway, DingTalk, and WeCom, but it does not clearly warn that PR metadata, comments, and potentially repository-derived review content may be transmitted to external services. That omission can lead users to expose proprietary code, sensitive PR text, or internal workflow data to third parties without informed consent.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The script logs the PR URL and the full agent output to a log file, and the task sent to the agent includes repository identifiers, the PR URL, local token path, and report path. Agent output may also echo fetched code, review content, errors, or other sensitive operational details, so writing it verbatim to disk creates a confidentiality risk if logs are broadly readable or retained long-term. In this PR-monitoring context, the issue is more dangerous because the skill is designed to process potentially private repository data continuously across multiple repos.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script sends PR metadata including repository name, PR title, author, timestamp, and URL to external messaging services (DingTalk and WeCom). In this skill's context, that data flow is intentional for notifications, but it still creates a real confidentiality risk because PR metadata may expose internal project details and there is no consent prompt, classification check, or redaction before transmission.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The script uploads the full review report file to DingTalk and WeCom as media attachments, which can leak source-derived findings, code snippets, architecture details, secrets accidentally included in the report, or vulnerability information to external systems. This is more dangerous than simple metadata sharing because the report content is likely richer and may contain sensitive internal analysis that should stay within the code hosting or review environment.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal