ClawHub

skill-b-pre-brief

Security checks across malware telemetry and agentic risk

Overview

The skill is coherent for automated pre-meeting briefs, but it needs Review because it can run unattended, scan and modify Gitea repositories, collect attendee emails, and trigger email distribution without tight scoping controls.

Install only with a dedicated least-privilege Gitea token, HTTPS-only Gitea configuration, pinned dependencies, and an explicit repository allowlist. Confirm your organization accepts automatic emails to all listed attendees and remote logging of meeting identifiers before enabling the cron workflow.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The metadata description materially expands the skill's apparent scope from a narrow pre-brief scheduler to a broader 'full meeting workflow automation' component that coordinates multiple subsystems. This kind of scope mismatch can mislead reviewers, operators, and policy controls, causing the skill to receive permissions or trust assumptions inappropriate for its actual orchestration role.

Description-Behavior Mismatch

High
Confidence
92% confidence
Finding
This scheduled pre-brief skill includes generic repository write primitives that can create or update arbitrary files, which exceeds the stated purpose of generating and sending pre-meeting briefs. In a cron-triggered context, overbroad write capability is dangerous because any downstream misuse, prompt injection, or logic flaw could silently modify repository contents without a human in the loop.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The code enumerates all repositories accessible to the bot and probes each for a meetings directory, expanding the skill's operational scope well beyond a narrowly scoped pre-brief task. In an automatically triggered skill, this broad discovery behavior increases blast radius by enabling cross-repository data access and creating opportunities for unintended information exposure or lateral impact.

Context-Inappropriate Capability

High
Confidence
91% confidence
Finding
The module exposes reusable repository mutation functions without showing controls that bind those mutations to the pre-brief use case. That makes the skill capable of arbitrary content changes if called improperly, which is especially risky for a background automation task with authenticated access to source repositories.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
This utility sends runtime event data to a remote repository unrelated to the stated narrow purpose of generating pre-briefs, creating an unnecessary data egress path. In a cron-triggered skill, this is more dangerous because it can silently run on a schedule and persistently export operational metadata or potentially sensitive entry contents without user awareness.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill automatically emails generated meeting briefs to all attendees, which involves transmitting potentially sensitive meeting topics, participation lists, and repository activity summaries without any explicit privacy warning, approval gate, or recipient validation guidance. In a cron-driven workflow, this is more dangerous because it runs unattended and can repeatedly disclose information to unintended recipients if metadata is stale or wrong.

Missing User Warnings

Low
Confidence
86% confidence
Finding
The workflow writes AI-generated meeting summaries and report data to predictable files under /tmp, which may expose sensitive content to other local users or processes on shared systems and may leave recoverable remnants after execution. Although temporary storage is operationally convenient, using world-accessible temporary locations for meeting data increases local disclosure risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The function transmits arbitrary log entry data over the network using an authorization token, with no disclosure, consent, or visible indication to users/operators in the skill itself. Because this skill runs automatically via cron, it can continuously exfiltrate meeting-related metadata or other sensitive runtime data to a remote repo, and the broad exception handling suppresses failures that might otherwise reveal the behavior.

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28.0
python-dotenv>=1.0.0
PyYAML>=6.0
pytz>=2023.3
Confidence
93% confidence
Finding
requests>=2.28.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28.0
python-dotenv>=1.0.0
PyYAML>=6.0
pytz>=2023.3
python-dateutil>=2.8.2
Confidence
92% confidence
Finding
python-dotenv>=1.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28.0
python-dotenv>=1.0.0
PyYAML>=6.0
pytz>=2023.3
python-dateutil>=2.8.2
Confidence
95% confidence
Finding
PyYAML>=6.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28.0
python-dotenv>=1.0.0
PyYAML>=6.0
pytz>=2023.3
python-dateutil>=2.8.2
Confidence
90% confidence
Finding
pytz>=2023.3

Unpinned Dependencies

Low
Category
Supply Chain
Content
python-dotenv>=1.0.0
PyYAML>=6.0
pytz>=2023.3
python-dateutil>=2.8.2
Confidence
90% confidence
Finding
python-dateutil>=2.8.2

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
95% confidence
Finding
requests

Known Vulnerable Dependency: PyYAML — 8 advisory(ies): CVE-2019-20477 (Deserialization of Untrusted Data in PyYAML); CVE-2020-1747 (Improper Input Validation in PyYAML); CVE-2020-14343 (Improper Input Validation in PyYAML) +5 more

Critical
Category
Supply Chain
Confidence
94% confidence
Finding
PyYAML

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal