ClawHub

Atomgit Curl

Security checks across malware telemetry and agentic risk

Overview

This AtomGit helper matches its stated purpose, but it can perform high-impact repository actions with a bearer token and lacks strong safety gates.

Install only if you intend to let this skill act on AtomGit repositories using your token. Use a least-privilege token, avoid putting tokens in command-line arguments or URLs, verify targets before approve/merge/batch/issue/collaborator commands, and treat those commands as remote write operations that can affect code or repository access.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (8)

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The script claims strong input validation and command-injection prevention, but multiple state-changing commands such as merge-pr, check-pr, create-pr, issue operations, and collaborator management do not consistently validate owner, repo, numeric IDs, or free-form body/title fields before constructing API endpoints and JSON payloads. While quoting prevents straightforward shell injection, the inconsistent validation increases the risk of malformed requests, unsafe state changes, and abuse of privileged automation in a security-sensitive repository-management tool.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The comment is incorrect: the bearer token is embedded directly in the curl command line via -H "Authorization: Bearer $ATOMGIT_TOKEN". On many systems, command-line arguments are visible to local users through process listings, shell audit logs, crash reports, or debugging tools, so this can expose a credential with repository-wide privileges.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The API reference explicitly documents passing an access token in the URL query string (`?access_token=...`) without warning that URLs are commonly exposed via logs, browser history, proxies, shell history, and monitoring systems. This can lead to credential leakage even when TLS is used, because the problem is token placement rather than transport encryption.

Missing User Warnings

Medium
Confidence
77% confidence
Finding
The skill advertises state-changing operations such as approving PRs, merging PRs, creating issues, and managing collaborators without prominent warnings, confirmation requirements, or scope guidance. In an agentic context, this increases the chance of unintended destructive or high-impact repository actions being carried out with the user's token.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The documentation instructs users to supply live API tokens via environment variables and direct command examples, but it does not clearly warn that these credentials grant remote repository access and may be exposed through shell history, logs, screenshots, or misconfigured config files. In a skill designed for automation, that omission materially raises credential-handling risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation instructs users to log in with a personal token and advertises multiple state-changing operations such as approving PRs, merging PRs, and creating or updating issues, but it does not warn that credentials may be stored or that these commands can modify remote repository state. In an agent-skill context, this omission increases the risk of users supplying powerful tokens without understanding persistence, scope, or the consequences of executing destructive or workflow-affecting actions.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This command performs an irreversible or sensitive state change by merging a pull request immediately, without any confirmation, dry-run mode, or secondary verification. In an agent skill context, accidental invocation, prompt-induced misuse, or parameter confusion could directly modify production code or bypass human review expectations.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Removing a collaborator changes repository access control and can lock out users or disrupt operational workflows, yet the script executes it without confirmation or safety checks. In an automation/agent setting, this is more dangerous because a single mistaken or manipulated call can immediately revoke access from the wrong account.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal