ClawHub

Skill Publish Adapter Real

Security checks across malware telemetry and agentic risk

Overview

This skill needs review because its metadata says validator, while its instructions describe bypass-oriented publishing automation that can change files, download/run scripts, and publish to ClawHub or GitHub.

Install only if you specifically want a publishing automation helper and can inspect every step. Do not run the remote curl-installed script or publish to GitHub/ClawHub without reviewing the target directory, repository/account, file changes, chmod changes, generated archives, and any deletion command first.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill is presented as a ClawHub publish adapter, but its documented behavior expands into GitHub repository creation and GitHub publishing. That scope expansion is risky because users or orchestration systems may invoke it expecting local validation/publishing support, while it may perform external side effects on third-party services and repositories.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
GitHub repository creation/publishing is not justified by the stated purpose of a ClawHub adapter, creating a principle-of-least-privilege violation. In an agent setting, unjustified external publishing capabilities can lead to unintended code exposure, repository creation, or data leakage beyond the user’s original intent.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The package metadata identifies the artifact as '@clawhub/skill-validator' with a validator-focused description, while the surrounding skill context claims this is a publish-adapter intended to bypass platform issues. That mismatch can be used to disguise the true purpose of the skill, mislead reviewers and users, and hide risky behavior behind benign-sounding metadata, which is especially concerning given the explicit claim of 'automatically bypassing' platform constraints.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The manifest examples use broad natural-language triggers such as publishing or validation requests that are not tightly scoped to this specific tool. In agent ecosystems, overly broad invocation phrases can cause accidental selection of a skill that performs file modification or publishing actions in contexts where the user did not intend those side effects.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation advertises automatic fixes, permission changes, file creation, packaging, and publishing behavior without prominent warnings about system and data impact. This is dangerous because users may trigger destructive or externally visible actions—such as chmod changes, file modifications, archive creation, or publication—without informed consent or an opportunity to review changes first.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal