ClawHub

Changelog Watcher

Security checks across malware telemetry and agentic risk

Overview

This looks like a normal release-monitoring skill that checks public package sources and stores local watchlist/state files, with some disclosure improvements needed.

Install if you want a local release watcher for public GitHub/npm projects. Before first use, review watchlist.json, prefer a dry run until the output looks right, and use --update-state only when you intentionally want to record the current versions as the future baseline.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill clearly instructs use of shell commands, network access to GitHub/npm, and persistent file reads/writes, yet it declares no permissions or equivalent capability disclosure. That mismatch can cause the agent or user to invoke operations with broader side effects than expected, reducing transparency and informed consent.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases are broad enough to match common user requests like checking updates or asking 'what's new,' which increases the chance this skill is auto-invoked in contexts where the user did not intend shell/network activity. Because the skill can modify state and access external services, overbroad routing expands the attack surface and risk of unintended execution.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The primary recommended command uses --update-state, which writes persistent state.json, but the instructions do not prominently warn that this changes on-disk state. Users may believe they are performing a read-only check when they are actually mutating future comparison baselines, making the skill less predictable and potentially hiding future changes.

Session Persistence

Medium
Category
Rogue Agent
Content
## Files

- `watchlist.json` — user config (create from `assets/watchlist.example.json`)
- `state.json` — auto-managed last-seen versions (do not edit)
- `scripts/compare_versions.py` — main entry point; calls the others
- `scripts/check_github.py` — GitHub releases API
Confidence
88% confidence
Finding
create from `assets/watchlist.example.json`) - `state.json` — auto-managed last-seen versions (do not edit) - `scripts/compare_versions.py` — main entry point; calls the others - `scripts/check_github

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal