ClawHub

Nex Changelog

Security checks across malware telemetry and agentic risk

Overview

This is a local changelog generator, but users should review client or public drafts because audience filtering is imperfect.

Install only if you are comfortable with a local tool that reads git history from repositories you specify and stores changelog data under ~/.nex-changelog. Before sending client emails, public release notes, or Telegram drafts, manually check that no internal notes, vulnerability details, or private project information were included.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill advertises and instructs use of shell execution (`bash setup.sh`, git import commands) and local file/database writes (`~/.nex-changelog/`, export files) but does not declare permissions. That mismatch can cause an agent or reviewer to underestimate the skill's ability to modify the host filesystem or invoke external binaries, which is a real security and transparency issue even if the described functionality is legitimate.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The client email formatter explicitly claims to include only CLIENT-audience entries, but if none are tagged CLIENT it silently falls back to all entries. In this skill's context, that can expose internal-only or public-unready changelog items to clients, causing sensitive information leakage such as unreleased features, internal refactors, or security details.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The audience-based formatter advertises audience-specific output, but the PUBLIC and INTERNAL branches call the same formatter without applying any audience filtering. This can mix confidential internal notes into public release notes or expose client-only/private details to the wrong stakeholder group, undermining the core access-separation promised by the skill.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The trigger phrases are broad and overlap with common requests such as 'what changed', 'new features', and 'fixed issues'. This can cause the skill to activate in situations where the user did not intend local repo inspection, changelog generation, or filesystem-modifying actions, increasing the chance of unintended command execution or data exposure from nearby repositories.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The setup instructions tell the agent/user to run `bash setup.sh`, which creates directories, installs dependencies, and initializes a database, but the markdown does not clearly warn that this changes the local system. Lack of explicit notice and consent for local filesystem changes can lead to surprising or unauthorized modifications on the host.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal