ClawHub

skill-publish

Security checks across malware telemetry and agentic risk

Overview

This skill is a real publishing helper, but it can commit and publish broad local changes and keeps extra local state beyond what users may expect.

Install only if you want an agent to manage git commits, remotes, pushes, and registry publication for you. Review the working tree before use, avoid repositories with secrets or unrelated changes, and consider removing the repo-map and self-evolution/diary behavior before running it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The self-evolution section authorizes the skill to modify its own documentation and submit PRs, which exceeds the narrowly expected publish workflow and creates an unnecessary self-modification path. A publishing skill should not autonomously change its own behavior or instructions based on prior runs, because that can introduce persistence, policy drift, and hard-to-audit changes.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The instructions tell the skill to append failure cases and improvement notes to local diary files, creating persistent writes unrelated to publishing. This can leak execution details into the repository or local workspace and establishes unnecessary statefulness that may expose sensitive context or contaminate future commits.

Context-Inappropriate Capability

Low
Confidence
95% confidence
Finding
The file embeds a user-specific inventory of local filesystem paths and associated GitHub repositories, including unrelated skills under the user's home directories. This unnecessarily discloses sensitive environment details and project metadata, which can aid profiling, targeted social engineering, or unintended access assumptions by downstream automation. In a publish skill, this is somewhat contextual but still broader than necessary because it exposes mappings for many unrelated projects rather than only the current target repository.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger conditions are very broad, including generic phrases like publish, upload, push, and multilingual variants, which raises the chance of accidental activation in contexts the user did not intend. Because this skill performs git operations and publication actions, unintended invocation materially increases the risk of unwanted commits or releases.

Missing User Warnings

High
Confidence
99% confidence
Finding
When initializing a new repository, the skill stages all files with `git add .` and commits them without first warning the user what will be included. This can accidentally capture secrets, build artifacts, local notes, credentials, or unrelated files and then prepare them for publication to a remote repository.

Missing User Warnings

High
Confidence
99% confidence
Finding
The workflow auto-stages all uncommitted changes and commits them after inspecting diffs, but still lacks an explicit user approval gate for what will be published. In a publishing context, this is especially dangerous because the next steps push to GitHub and external registries, turning an overbroad local commit into public disclosure.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Persistently updating `references/repo-map.json` writes local path-to-repository mappings without explicit disclosure or consent. While less severe than code publication, it creates an inventory of local development paths and repository associations that may expose private project structure or become unintentionally committed later.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The self-evolution step writes execution-derived content into diary files without warning, creating persistent state unrelated to the publishing task. This can expose internal operational details and, if committed later by the same workflow, amplify data leakage and repository contamination risks.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal