ClawHub

Repo PR Triage

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed GitHub PR triage helper that reads repo and PR metadata, writes local reports, and does not show hidden mutation, exfiltration, or destructive behavior.

Install only if you are comfortable letting it read the target repository through your gh login. Use a least-privilege GitHub account or token, review triage reports before acting, treat README and PR text as untrusted, and avoid the optional cron/Telegram workflow for sensitive private repositories unless the destination and schedule are explicit.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • System Prompt LeakageDirect Leakage, Indirect Extraction, Tool-Based Exfiltration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill instructs use of shell commands and local file reads/writes (`gh` CLI, Python scripts, output files) but does not declare permissions. This creates a transparency and policy gap: an agent or user may invoke a skill with broader capabilities than expected, increasing the chance of unintended repository access, local file modification, or command execution.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The documented behavior materially overstates what the skill does: it claims issue triage, vision/rubric-driven analysis, and broader review capability, while the described implementation appears limited to heuristic PR metadata scoring. This mismatch can mislead operators into trusting automated prioritization decisions for security- or governance-sensitive workflows that the skill is not actually equipped to perform.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The invocation language is broad enough to match many ordinary repository-management requests, which can cause over-selection of this skill in contexts the user did not intend. Because the skill performs shell access, GitHub queries, and local writes, accidental invocation expands the chance of unnecessary data access or filesystem changes.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The cron section describes automated scanning, report generation, and sending summaries to an external channel without prominently warning about recurring writes and outbound transmission. In practice, this can lead to unattended repository metadata collection, local file creation, and exfiltration of potentially sensitive PR information to messaging platforms.

Direct Prompt Extraction

High
Category
System Prompt Leakage
Content
Use `references/rubric-template.md` as the starting template for the rubric.
"""
    return prompt


def main():
Confidence
91% confidence
Finding
return prompt

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal