ClawHub

Changelog Watcher

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a straightforward release-monitoring helper that checks public GitHub and npm release data and keeps a local last-seen state file.

Before installing, review the watchlist entries, use dry-run mode if you do not want state.json updated, and only set up cron or provide a GitHub token in an environment you trust.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill instructs the agent to read and write local files, make network requests, and execute shell commands, but it does not declare permissions or present any guardrails around those capabilities. This creates a transparency and authorization gap: users may invoke the skill without realizing it can persist changes to disk and reach external services.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases are broad enough to match generic requests like checking for updates or asking what's new, which can cause the skill to activate in situations the user did not intend. Because the skill performs network access and can modify local state, overbroad routing increases the chance of unintended external requests or persistent side effects.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The instructions tell the user to create and edit watchlist files and to run commands that update state, but they do not clearly warn that these changes are persistent across sessions. This can lead to silent modification of configuration and tracking data, which is risky even if the intended purpose is legitimate.

Session Persistence

Medium
Category
Rogue Agent
Content
## Files

- `watchlist.json` — user config (create from `assets/watchlist.example.json`)
- `state.json` — auto-managed last-seen versions (do not edit)
- `scripts/compare_versions.py` — main entry point; calls the others
- `scripts/check_github.py` — GitHub releases API
Confidence
88% confidence
Finding
create from `assets/watchlist.example.json`) - `state.json` — auto-managed last-seen versions (do not edit) - `scripts/compare_versions.py` — main entry point; calls the others - `scripts/check_github

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal