ClawHub

Git Delegation Management

Security checks across malware telemetry and agentic risk

Overview

This skill is transparent about delegating git work, but it lets Worker messages trigger broad authenticated git actions using the Manager’s host credentials without clear controls.

Install only where Workers are fully trusted and external controls exist. Require authenticated request origin, restrict allowed repositories and git commands, review pushes or history-changing operations before execution, and prefer least-privilege repo-scoped credentials over broad host git credentials.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger is broad enough that normal discussion of git delegation or loosely structured messages could activate a privileged workflow that uses the Manager's host git credentials. Because the skill is explicitly authorized to perform arbitrary git operations on behalf of others, accidental or adversarial triggering can lead to unauthorized repository access, pushes, or state changes.

Vague Triggers

Medium
Confidence
98% confidence
Finding
Treating any message containing `git-request:` as executable instruction is dangerous because the skill later says to run the listed operations literally, with access to host git config and credentials. An attacker or compromised Worker can embed malicious or destructive git commands, point to attacker-controlled remotes, or abuse credentialed pushes with minimal friction.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill discloses that it will use the host's `.gitconfig` and credentials but does not present a clear safety warning or consent boundary before performing networked git actions on a Worker's behalf. In this context, delegated operations can exfiltrate code to remotes, modify private repositories, or create authenticated commits under the Manager's identity, so the lack of an explicit warning increases the chance of unsafe or unintended use.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal