ClawHub

OC PR Review

Security checks across malware telemetry and agentic risk

Overview

This is a coherent PR review helper, but users should be careful before letting it post reviews or send summaries outside GitHub.

Install only if you are comfortable letting the agent use your GitHub CLI login to inspect PRs. Before any Feishu message or GitHub review/comment is sent, confirm the target PR, recipient, review type, and exact content, especially for private repositories or security findings.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill is presented primarily as a PR review/reporting workflow, but it also documents `gh pr review` and PR comment submission commands that can modify remote repository state. That mismatch is dangerous because an agent or user may invoke the skill expecting read-only analysis while it includes write-capable actions that publish feedback or change review status without an explicit consent boundary.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The skill instructs interactive `gh auth login`, which expands its scope from analyzing PRs to acquiring credentials for GitHub access. Even if common operationally, embedding credential acquisition in the skill increases the chance that an agent will prompt for or facilitate privileged authentication beyond what is necessary for a narrowly scoped review task.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Telling users to `export GITHUB_TOKEN="your_token"` introduces direct environment-secret handling in a skill whose core purpose is review/reporting. This can lead to credential exposure through shell history, shared terminals, logs, or downstream tools, especially if agents echo commands or troubleshoot interactively.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill supports sending PR review summaries to Feishu but does not warn that code-review content, repository metadata, and possibly sensitive findings may be shared with a third-party messaging destination. Without an explicit privacy notice and user approval checkpoint, confidential code or security issues could be disclosed to unintended recipients.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The optional PR review/comment commands write directly into the repository workflow and may create public or team-visible records, but the skill does not clearly warn users of that effect. This can cause unintended disclosure of internal analysis, premature review decisions, or unauthorized repository interaction if an agent treats these commands as part of the normal review flow.

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal