ClawHub

Atomgit Powershell

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its AtomGit automation purpose, but loading its batch script can automatically approve real pull requests and its token handling guidance is too loose.

Install only after reviewing the PowerShell scripts. Use a dedicated least-privileged AtomGit token, avoid putting real tokens in command history or plaintext config, and do not load the batch script unless you intend it to approve the specified PRs. Prefer manual confirmation before approvals, merges, collaborator changes, or other remote write actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (8)

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The script claims token protection, but several code paths still surface raw exception messages via `$_.Exception.Message`, including storing detailed API error text in result objects and printing it later. HTTP/client exceptions can contain request or authentication details, so this contradiction can expose sensitive information in console logs, CI logs, or job output.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The script claims 'token protection' but loads a bearer token from a plaintext JSON file under the user's home directory. Storing API credentials in readable local config materially increases the risk of token theft from local compromise, backups, or accidental disclosure, especially since the same token is then used for authenticated API actions.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The README instructs users to place an AtomGit token in environment variables or configuration files but does not warn about protecting the token, limiting permissions, or avoiding accidental commits of config files. This increases the likelihood of credential exposure through shell history, shared environments, screenshots, or source control, which could enable unauthorized repository access.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation includes collaborator addition and removal operations, which can directly change repository access control, but it does not warn that these actions are security-sensitive and may remove legitimate access or grant unauthorized write privileges if used incorrectly. In an agent skill context, normalizing these actions without safeguards increases the risk of accidental or unauthorized permission changes.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill prominently documents PR approval and merge operations without emphasizing that these actions can irreversibly change repository state, bypass review expectations, or land untrusted code. Because the skill is designed for automation and batch handling, lack of warnings materially increases the chance of unsafe or mistaken merges and approvals.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation instructs users to pass an access token directly on the PowerShell command line (`AtomGit-Login "YOUR_TOKEN"`) without any warning about secure handling. Command-line secrets are commonly exposed through shell history, process listings, logs, transcripts, and screenshots, which can lead to credential theft and unauthorized access to AtomGit resources.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script automatically invokes `Invoke-BatchApprove` when run if `$PRs.Count -gt 0`, and defaults `PRs` to real PR numbers. That means simply executing the script can immediately post `/lgtm` and `/approve` comments to external PRs without an explicit confirmation step, creating a high risk of unintended approval actions in a code-review workflow.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The collaborator add/remove functions perform state-changing repository operations immediately once invoked, without confirmation, dry-run support, or safety rails. In an agent or automation context, this raises the risk of accidental privilege grants or unauthorized collaborator removal if inputs are mistaken, injected, or triggered unexpectedly.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal