ClawHub
Back to skill

Security audit

Wip Release

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate release automation skill, but it needs review because it can publish, deploy, merge or delete branches, close issues, and use local secrets without a separate confirmation step.

Install only if you intentionally want this skill to perform releases in trusted repositories using your authenticated npm, GitHub, 1Password, and ClawHub access. Prefer running --dry-run first, use --no-publish or --no-deploy-public when appropriate, verify any websiteRepo/deploy.sh target, and make sure tokens are scoped for the specific packages and repositories you are willing to let it mutate.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill description promises publishing to npm and GitHub, but the implementation also publishes to ClawHub and copies SKILL.md into a separate website repository before optionally running that repo's deploy.sh against a VPS. This hidden expansion of scope creates undisclosed outbound distribution and remote deployment behavior, which is dangerous in a release tool because operators may authorize it expecting only package/release publication.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
Beyond release actions, the code performs broad repository hygiene and governance operations such as renaming/deleting merged branches, pruning worktrees, and writing local release markers. These side effects materially exceed a 'one-command release pipeline' expectation and can alter developer workflow state in ways a user did not consent to when invoking a release.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The tool does more than publish to GitHub: it auto-creates release branches, opens PRs, merges them, pushes tags, and later deletes or renames branches/worktrees. Those are high-impact remote state mutations that can bypass expected human review and can permanently change repository history/branch topology under the banner of a simple release action.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The code reads a local 1Password service-account token from ~/.openclaw/secrets and uses it to retrieve an npm auth token. While credential use is expected in a release tool, silently pulling secrets from local storage increases risk because the skill can access and use sensitive credentials without explicit runtime disclosure or user approval.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill copies content into a separate website repository and executes an external deploy.sh script there, which can trigger arbitrary deployment behavior to a VPS outside the stated release targets. Running a script from another repo as part of a release pipeline greatly expands the trust boundary and can lead to unintended remote changes or code execution paths not apparent from the manifest.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The tool parses issue references from release notes and automatically closes matching GitHub issues with gh issue close. Issue closure is an irreversible workflow action in many teams, and doing it automatically based on free-form notes can accidentally close unrelated or prematurely referenced issues without clear user awareness.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The README uses broad natural-language activation text that could cause an agent to ingest and act on the skill during ordinary exploratory requests, such as asking what the tool is or whether to integrate it. Because the skill automates high-impact release operations including version bumps, commits, tags, pushes, and package publication, ambiguous invocation language increases the chance of unintended activation in a sensitive repository context.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README presents a one-command release pipeline that performs consequential actions across source control and package registries, but it does not prominently warn users that invoking the skill may modify files, create commits and tags, push to remotes, or publish externally. In an agent setting, lack of explicit safety framing increases the risk that users treat the skill as informational or low-risk when it can trigger irreversible release actions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README documents automatic copying into a website repository and execution of that repository's deploy.sh script, but does not present this as a high-risk operation requiring explicit acknowledgement. Because the target path can come from config or environment and the skill is a release tool likely run with sensitive tokens and repo write access, this behavior can lead to unintended code execution or changes in a second repository with substantial privileges.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Sensitive credentials are accessed from local secret storage and used automatically without an upfront warning that the skill will retrieve and transmit an npm authentication token. In an agent-executed context, undisclosed credential access is especially risky because users may not realize the tool is empowered to use local secrets on their behalf.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Automatically closing issues based on release-note references performs remote workflow mutations without prior user-facing disclosure or confirmation. In a release tool this is more dangerous because notes can contain broad issue references, causing unintended closure of tickets in the public repo as a side effect of publishing.

Vague Triggers

Low
Confidence
77% confidence
Finding
The package description advertises a 'one-command release pipeline' that bumps versions and publishes artifacts, but it does not communicate any trigger constraints, confirmation requirements, or safety boundaries. In an agent-executable skill ecosystem, this broad wording can encourage invocation in the wrong repository or at the wrong time, increasing the chance of unintended publication or repository modification.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The manifest description mentions publishing to npm and GitHub but does not warn that the skill performs repository-modifying and release actions with external side effects. In this context, the absence of a prominent warning is dangerous because agents or users may invoke it without appreciating that it can create releases, modify changelogs, and publish packages.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal