ClawHub
Back to skill

Security audit

Kb Eval Repo

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its stated repository-evaluation purpose, but it uses an admin Gitea token and writes KB review pages by default.

Install only if you are comfortable giving this skill admin-level access to your Gitea instance and allowing it to create or update review pages in selected KB repositories. Prefer running it with writeReview set to false unless you explicitly want persistence, and use a narrowly scoped bot token instead of an admin token where possible.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill documentation declares no explicit permissions while instructing use of capabilities that read files, access the network, and potentially rely on environment-provided credentials/helpers. This creates an implicit trust boundary issue: operators and users may approve or invoke the skill as if it were low-privilege when it can actually reach external repositories and local KB content, increasing the chance of overbroad data access or unintended side effects.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The skill is presented as an evaluation/query tool, but its workflow includes creating a review file in the selected repository by default, which is a state-changing action. That mismatch is dangerous because a caller expecting read-only analysis may unintentionally authorize repository writes, enabling unwanted content injection, audit noise, or abuse of authenticated repository-modification APIs.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill includes file-write capability to the knowledge-base repository, which is not necessary for merely evaluating a repository's usefulness. This expands the blast radius from read-only analysis to persistent modification of KB content, enabling unauthorized or misleading report creation if the task input or skill behavior is abused.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code loads a Gitea admin token for a skill whose stated purpose is repository evaluation/querying, giving it far broader authority than needed. If the skill is compromised or misused, an attacker could modify arbitrary repository contents in the Gitea instance rather than only performing read operations.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill defaults to creating or updating review documents in the KB repository via writeReview=True, which exceeds the expected scope of a query/evaluation tool. Default-on persistence can be triggered without explicit user awareness and may pollute trusted KB content with machine-generated or attacker-influenced material.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill omits a prominent user-facing warning that it may write an evaluation report into the selected repository unless `writeReview` is false. In this context, the omission is more dangerous because the skill operates on knowledge repositories and could persist generated content into user-selected targets without informed consent, leading to accidental modification of trusted KB state.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The code writes review files back into the KB repository without any user-facing warning or consent flow in this file. In a knowledge-base context, silent persistence is risky because users may expect an evaluation action to be non-mutating, while the skill actually alters trusted documentation state.

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests
python-dotenv
Confidence
95% confidence
Finding
requests

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests
python-dotenv
Confidence
92% confidence
Finding
python-dotenv

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
90% confidence
Finding
requests

Known Vulnerable Dependency: python-dotenv — 1 advisory(ies): CVE-2026-28684 (python-dotenv: Symlink following in set_key allows arbitrary file overwrite via )

Low
Category
Supply Chain
Confidence
71% confidence
Finding
python-dotenv

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal