ClawHub

git-publish

Security checks across malware telemetry and agentic risk

Overview

This skill mostly performs GitHub publishing as advertised, but it gives the agent broad commit/push authority and adds persistent logging/self-modification behavior that users should review first.

Install only if you are comfortable with an agent staging all files, creating commits, configuring remotes, and pushing to GitHub. Before using it, inspect git status and diffs for secrets or unrelated files, avoid force-push unless you intend to overwrite remote history, and consider removing the repo-map persistence and self-evolution diary/PR section.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The skill includes a self-evolution workflow that writes diary entries and proposes modifying its own SKILL.md, behavior unrelated to publishing a repository. This expands the skill from a bounded Git publishing task into persistent self-modification, creating an avenue for unauthorized file writes and instruction drift over time.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Directing the skill to append to diary logs and submit a PR against its own SKILL.md is unjustified for a git-publish utility and introduces persistent, self-directed code/documentation changes. In practice, this can mutate future behavior, bypass review expectations, and create a supply-chain style risk if the altered skill is later trusted or redistributed.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger phrases are broad everyday requests like 'push to GitHub' or 'upload to remote', which can cause the skill to activate in normal conversation without making the destructive side effects explicit. In this skill, unintended invocation is more dangerous because activation can lead to git initialization, staging all changes, committing, and pushing to a remote repository.

Missing User Warnings

High
Confidence
96% confidence
Finding
The README describes an automatic workflow that stages all changes and creates commits, but it does not prominently warn users up front that all current modifications may be included. This is dangerous because users may unintentionally publish secrets, unfinished work, generated files, or unrelated local changes to a remote GitHub repository.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill stores a local mapping between project paths and GitHub repository addresses, but the README does not clearly warn users about this persistent metadata collection. While not as severe as code publication, this can expose sensitive local directory structure, client/project names, or repository associations on shared systems.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The description says the skill handles auto-commit of uncommitted changes, but it does not prominently warn that it stages all files and commits them before pushing. In a publishing skill, this is dangerous because users may invoke it expecting a simple push and unintentionally publish secrets, experimental files, or unrelated local changes.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill writes to references/repo-map.json and diary files and may alter repository configuration, but these side effects are not clearly disclosed up front. Hidden persistent writes are risky because they can leak path-to-repository associations, alter future behavior, and surprise users who expected a one-time publish action.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal