ClawHub

Gh Openclaw Plugin

Security checks across malware telemetry and agentic risk

Overview

This GitHub integration is mostly coherent, but it gives an agent automatic access to read issue content and write back to GitHub with weak trust-boundary controls.

Install only if you are comfortable giving this plugin GitHub App authority to read issue content, post comments, and edit issue bodies in installed repositories. Use a tightly scoped GitHub App, restrict installation to specific repositories, disclose AI processing to repository users, and avoid connecting it to agents that can access secrets or perform sensitive actions without human approval.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (6)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The plugin forwards GitHub issue content into the agent runtime, but this file shows no disclosure or consent mechanism informing repository users that their issue text will be consumed by an AI agent. In a collaboration channel that ingests third-party user content from public or semi-public repositories, this creates a real privacy and transparency risk even if it is not a memory-safety bug.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code performs an authenticated PATCH to a GitHub issue body and overwrites remote content without any explicit user confirmation, approval gate, or dry-run mode. In an agent skill context, this creates a real integrity risk: if invoked with attacker-influenced status data or on the wrong repository/issue, the agent can silently modify externally visible project records.

Ssd 1

High
Confidence
97% confidence
Finding
Untrusted issue text is embedded directly into a message framed as actionable work for the agent: "Please review this issue, introduce yourself, and start analyzing." Because the issue title/body come from external GitHub users, an attacker can place prompt-injection instructions in the issue body to manipulate the agent into unsafe actions, exfiltration attempts, or policy bypasses in downstream tools/channels.

Ssd 1

High
Confidence
98% confidence
Finding
Issue comments are passed verbatim to the agent as if they were normal conversational input from a user. Comments are fully attacker-controlled and especially dangerous because they can iteratively steer an existing session, override prior context, or social-engineer the agent into taking unintended actions after the initial issue has already established trust.

Ssd 1

High
Confidence
98% confidence
Finding
The plugin forwards untrusted GitHub issue title/body content to the agent inside imperative framing such as 'Please review this issue, introduce yourself, and start analyzing.' This causes attacker-controlled repository content to be interpreted in a privileged agent workflow, creating a classic prompt-injection boundary failure that can manipulate agent behavior, exfiltrate data, or trigger unsafe actions through the collaboration channel.

Ssd 1

High
Confidence
97% confidence
Finding
User comment text is passed verbatim into the agent conversation as if it were a normal conversational turn from a user. Because GitHub commenters are external and potentially adversarial, they can embed instructions that override or steer the agent, making this a direct semantic prompt-injection path into an issue-handling workflow.

VirusTotal

62/62 vendors flagged this plugin as clean.

View on VirusTotal