ClawHub

Wip License Hook

Security checks across malware telemetry and agentic risk

Overview

This license-scanning skill matches its stated purpose, but online scans can execute shell commands built from repository-controlled dependency names.

Install only if you understand that online scans run package-manager and git commands against the target repository. Avoid using it on untrusted pull requests or arbitrary repositories unless sandboxed, prefer `--offline` where practical, and treat the optional git-hook install as a deliberate workflow change.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill clearly exposes shell-executed capabilities through its CLI/module/MCP interfaces and explicitly requires external binaries such as node, git, and npm, but it does not declare any corresponding permissions or execution boundaries. This creates an authorization and review gap: consumers may treat the skill as low-risk metadata while it can invoke system tools, fetch remotes, scan repositories, and potentially perform networked package installation or command execution in CI, hooks, or MCP contexts.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The hook intends to run the license check in advisory mode and display a warning when the gate command fails, but `|| true` causes the command substitution to return success, so `$?` is always 0. As a result, license drift is silently ignored and users receive no alert, undermining the core security/compliance purpose of the hook and making it easy to miss risky upstream license changes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The npm lookup builds a shell command with an untrusted dependency name interpolated directly into execSync. Because dependency names come from package.json, an attacker who can influence repository contents can inject shell metacharacters and achieve command execution on the host running the scan, not merely cause metadata disclosure. In a CI/license-gating skill, this is more dangerous because scans are likely automated and run with repository or CI credentials.

Missing User Warnings

Medium
Confidence
77% confidence
Finding
When offline is false, the scanner queries npm for each dependency, which discloses the project's dependency names to an external service without explicit consent or notice. This is primarily a privacy and operational transparency issue rather than direct compromise, but it can expose internal technology choices or unreleased package usage patterns. The skill's compliance-scanning context makes network lookups somewhat expected, though explicit disclosure and opt-in are still advisable.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The pip lookup also interpolates an untrusted package name into a shell command passed to execSync. A crafted requirements.txt entry could inject additional shell syntax and execute arbitrary commands during scanning. Because this skill is designed to process repository-controlled dependency manifests, the attack surface is directly reachable by a malicious pull request or poisoned repository.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The cargo path constructs `cargo info ${name}` as a shell command from dependency names parsed out of Cargo.toml. An attacker able to modify Cargo.toml can inject shell metacharacters and trigger arbitrary command execution in the scanner environment. In CI or merge-gating use, that can lead to secret exfiltration, workspace modification, or runner compromise.

Missing User Warnings

Medium
Confidence
71% confidence
Finding
The git remote lookup and fetch can contact an external upstream remote automatically when offline is false, disclosing repository activity and potentially interacting with attacker-controlled remotes defined in local git config. Unlike the package-manager cases, these commands are constant strings, so this is not shell injection here, but it is still a network/SSRF-style trust-boundary issue with possible credential leakage depending on the git environment. In a fork/upstream license scanner, contacting remotes is functionally related, which reduces suspicion somewhat, but silent network access remains risky.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal