ClawHub

TPM Copilot

Security checks across malware telemetry and agentic risk

Overview

TPM Copilot is a real project-management automation skill, but it needs review because it can use sensitive business credentials, send reports externally, and create Jira tickets with weak safeguards.

Install only if you are comfortable granting access to internal project-management, source-control, Slack, and email systems. Use least-privileged tokens, keep config files out of repositories, verify webhook and email destinations before each send, avoid untrusted program names, and review the stored action list before using --create-tickets.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill advertises and operationalizes broad capabilities including shell execution, file read/write, network access, environment/config secret usage, and external integrations, but no explicit permission declaration or safety boundary is present. In a skill that touches Jira, Linear, GitHub, Slack, email, Confluence, calendars, and local state, this creates a real risk of over-privileged execution, unintended data access, secret exposure, and unauthorized actions.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The invocation description is extremely broad and could trigger on many normal TPM/PM requests, causing the skill to activate in contexts where the user did not intend external data access, reporting, or side effects. Because this skill can read project data and potentially post to Slack, email, Confluence, or create tickets, overbroad routing increases the chance of unintended disclosure or unauthorized modifications.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill describes automatic delivery of generated reports to Slack, email, and Confluence without an explicit warning that project data may be transmitted to third-party systems. Given the content may include sprint health, blockers, risks, PR status, stakeholder updates, and calendar-derived information, this can cause accidental leakage of sensitive operational or personnel-adjacent information outside the immediate workspace.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill can extract action items from meeting notes and optionally create Jira or Linear tickets, but it does not warn that this may create or modify records in external systems based on imperfect parsing. In context, meeting notes can contain sensitive discussions, ambiguous ownership, or draft decisions, so automatic ticket creation can leak internal context, create inaccurate artifacts, or trigger unauthorized workflow changes.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document instructs users to place a Jira API token directly in a JSON config file and shell environment variables without warning that these are secrets or recommending a secure secret store. This increases the chance of accidental credential exposure through source control, shell history, process inspection, backups, or shared workstation environments, especially in a skill that integrates with multiple SaaS systems.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation instructs users to place a personal Linear API key directly in a config file and shell environment without any warning about secret handling, storage scope, shell history, or accidental commit risk. In a TPM/PM automation skill that aggregates project data, these credentials likely grant broad read access to organizational metadata, so poor handling can expose internal work items and team information.

Missing User Warnings

Medium
Confidence
76% confidence
Finding
When --alert is used, the script sends newly detected risk titles to a Slack webhook from config or environment without any confirmation, destination validation, or redaction. In a TPM context, risk titles may contain internal project names, ticket identifiers, or sensitive operational details, so accidental disclosure to an incorrect or compromised webhook is plausible.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The Slack delivery path sends the full generated report, which may include blockers, assignees, milestones, and other internal operational data, to an external webhook with no confirmation, destination validation, or redaction controls. In a TPM/PM skill, the report context often contains sensitive internal project data, making unintended disclosure to the wrong workspace or channel a realistic risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The email delivery path transmits the report body and recipient addresses to a third-party email API without any warning, recipient confirmation, or sensitivity checks. Because this tool aggregates data from Jira, Linear, GitHub, and milestones, accidental emailing can expose non-public roadmap, staffing, and blocker information outside intended recipients.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal