ClawHub

gsd

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate project-automation skill, but it gives an agent broad authority to change projects, commit history, install tools, run services, and handle API keys without enough user-controlled safeguards.

Review before installing. Use it only in a project where you are comfortable with automated file edits, git initialization, frequent commits, spawned agents, web access, and command execution. Do not paste production API keys into chat; prefer a secret manager or local environment setup. Require explicit approval before package installs, global CLI installs, process kills, deployments, or commits in shared repositories.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (64)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The file explicitly authorizes broad host-level actions such as globally installing CLIs and killing processes, which exceed a narrow project-planning workflow and can modify or disrupt the user's system. In an agent context, this increases the chance of unintended system changes, package trust issues, and denial-of-service to unrelated local processes if commands are applied too broadly.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The execution-protocol example instructs the user to run `npm run dev`, which contradicts the document's own rule that the agent must start dev servers itself. This can normalize unsafe delegation of executable actions to the user and create opportunities for social engineering or accidental execution of unreviewed local commands.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The workflow mandates `git init` in the current directory before any user interaction, even when the skill's purpose is project planning rather than repository management. This causes an immediate side effect on the user's filesystem and can alter repository boundaries, tooling behavior, and later commit history without explicit consent.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The workflow claims roadmap approval is required before committing, but separately instructs the roadmapper agent to write `ROADMAP.md`, `STATE.md`, and update `REQUIREMENTS.md` immediately before approval. Even without a commit, this creates unapproved changes on disk and lets an autonomous sub-agent modify core planning artifacts before the user has accepted the structure.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The routing table contains broad natural-language triggers such as "start work," "test," "context," "continue," and "capture" that are common in ordinary conversation. In a user-invocable skill that can plan, execute work, and modify project artifacts, this creates a real risk of accidental activation or misrouting into privileged workflows the user did not explicitly intend to invoke.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The statement "Or just tell me what you want and I'll guide you through GSD" makes activation boundaries ambiguous and encourages free-form interpretation instead of explicit command use. Because this skill orchestrates research, planning, execution, and repository-affecting actions, ambiguous activation materially increases the chance of unintended workflow entry and downstream file changes.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill advertises execution, per-task commits, verification against the codebase, and creation of a `.planning/` directory, but does not prominently warn that it may modify files or repository state. In this context, missing effect disclosure is dangerous because users may invoke the workflow expecting advice or planning, while the skill proceeds into actions that write artifacts or change code.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly instructs the agent to write files into `.planning/codebase/`, which is a repository modification side effect. Because the file does not clearly disclose this destructive/non-read-only behavior to the end user or require confirmation before writing, it can cause unexpected workspace changes, overwrite prior planning artifacts, or be abused in automation contexts where file mutations are assumed absent.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The write step operationalizes filesystem modification by directing use of the Write tool to create documents, but it omits any safeguard around overwrites, prior file existence, or user consent. In agentic workflows this is risky because a caller may expect analysis only, while the skill silently mutates repository state and can clobber manually curated planning documents.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs creation of persistent debug files and continual updates, including user-provided debugging context, but does not require any notice, consent, or minimization before writing that data to disk. In a debugging workflow, users often share stack traces, tokens, internal paths, customer data, or other sensitive details, so silent persistence materially increases privacy and data-exposure risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to modify files and run git commands that create persistent repository changes, but it does not require an explicit user-facing warning or confirmation immediately before those side effects occur. In practice, this can surprise users, commit unintended changes, or operationalize malicious content embedded in a plan by turning it into committed code with audit-looking messages.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The deviation rules authorize the agent to automatically fix blockers, install dependencies, adjust configuration, and add security/correctness changes without explicit approval, which permits unplanned system and environment modifications. Because the executor consumes plan content and can use Bash, this creates a meaningful risk that adversarial or mistaken plans trigger broad repo or environment changes beyond the user’s intended scope.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs the agent to write a file into the workspace and run `git add`/`git commit` automatically, but it provides no requirement for explicit user consent, preview, or confirmation before modifying files and repository history. In an agent setting, autonomous workspace and git-history mutation can cause unintended changes, concealment of prior state, or accidental persistence of unsafe content, especially when the research scope or upstream context is influenced by untrusted inputs.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly instructs the agent to create and write PLAN.md files into the workspace, but it does not include any user-facing disclosure, confirmation, or guardrail before modifying project files. In an agentic workflow, silent file writes can surprise users, alter repository state, and be chained with downstream automation that treats those files as trusted execution inputs.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly instructs the agent to write an output file and commit it to git, but it provides no requirement to obtain explicit user consent before modifying the workspace or repository history. In an agent setting, this can cause unintended persistent changes, noisy or misleading commits, and unauthorized modification of tracked files, especially when the orchestrator passes attacker-controlled prompts or paths.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explicitly instructs the agent to write a file and create a git commit without any user confirmation, disclosure, or safety gating. In an agentic environment, silent persistence and repository mutation can surprise users, create unwanted history, and be abused to launder unreviewed or adversarial content into version control.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly instructs the agent to immediately write and update multiple planning artifacts without any required confirmation, preview, or warning to the user. This creates a real integrity risk because existing project planning documents may be overwritten or altered unexpectedly, especially when the skill is run in a repository with preexisting state.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill mandates staging and committing files to git as part of normal execution, but it does not require notifying the user that repository history will be modified. Automatic commits are more dangerous than local file edits because they create durable history, may trigger hooks or CI workflows, and can be difficult to unwind cleanly in collaborative repositories.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The documentation directs users to store multiple provider API keys in a plaintext local config file under their home directory, but provides no guidance on file permissions, secret management, redaction, or avoiding accidental commits and log exposure. In a workflow that also enables logging and multi-provider routing, this increases the chance that long-lived credentials are disclosed through filesystem access, backups, shell history, or debugging output.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The guide encourages routing requests across multiple external AI providers but does not warn that prompts, source code, planning artifacts, and possibly system context may be transmitted to third parties outside the primary environment. For a project automation skill, this omission is significant because users may unknowingly send sensitive intellectual property, credentials, or internal data to additional vendors with different retention and privacy practices.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs the user to paste an API key directly into the conversation/workflow without safety guidance, secure handling constraints, or warnings about exposure. In agent systems, this can lead to credential disclosure in logs, transcripts, memory, or downstream tools, enabling unauthorized use of the secret.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The guidance to silently auto-install CLIs encourages modifying the user's system without clear consent or disclosure. This is dangerous because it can change the execution environment, introduce unreviewed software into the host, and expand the agent's capability beyond the expected task scope.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The example explicitly instructs a user to paste an OpenAI API key into the chat/workflow without any safeguards, redaction guidance, or secure secret-handling instructions. In an agent setting, this creates a realistic risk of exposing secrets in conversation logs, plan artifacts, or downstream tools, especially because the surrounding guidance normalizes collecting secrets from the user.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The secret-collection example tells the user to paste an API key directly into chat without warning that chat transcripts, logs, or prompt history may persist sensitive data. That creates a direct credential-exposure path and can lead to leakage into logs, model context, analytics systems, or copied plan artifacts.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The guidance recommends silent auto-installation of CLIs, which modifies the local system without explicit user consent or review. In an agentic workflow this can be abused to introduce unexpected software, expand attack surface, or violate least-privilege expectations on the user's machine.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal