ClawHub

Workspace

Security checks across malware telemetry and agentic risk

Overview

This skill is a real automation tool, but it can read sensitive local agent memory, send code and context to LLM endpoints, create persistent scheduled jobs, and modify, commit, push, or post to repositories.

Install only if you want a repository automation agent, not just a read-only scanner. Start with dry-run or semi-auto mode, avoid scheduling full-auto on sensitive repositories, review which repos are configured, disable or tightly control GitHub tokens, and assume code plus local persona memory may be sent to the configured LLM provider.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (31)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if not (repo_path / "pytest.ini").exists() and not (repo_path / "pyproject.toml").exists():
        return {"passed": False, "tests_run": 0, "failures": 0, "output": "no test config"}
    try:
        result = subprocess.run(
            ["python3", "-m", "pytest", "--tb=short", "-q"],
            cwd=str(repo_path),
            capture_output=True,
Confidence
89% confidence
Finding
result = subprocess.run( ["python3", "-m", "pytest", "--tb=short", "-q"], cwd=str(repo_path), capture_output=True, text=True, timeou

Tainted flow: 'req' from os.environ.get (line 1386, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
endpoint = base_url.rstrip("/") + endpoint_suffix
        try:
            req = urllib.request.Request(endpoint, data=body, headers=headers, method="POST")
            with urllib.request.urlopen(req, timeout=120) as resp:
                data = json.loads(resp.read().decode("utf-8"))
                if "anthropic" in endpoint or endpoint_suffix == "/v1/messages":
                    text_blocks = [
Confidence
98% confidence
Finding
with urllib.request.urlopen(req, timeout=120) as resp:

Tainted flow: 'req' from os.environ.get (line 1386, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
headers=headers,
                method="POST",
            )
            with urllib.request.urlopen(req, timeout=60) as resp:
                data = json.loads(resp.read().decode("utf-8"))
                if "anthropic" in endpoint:
                    text_blocks = [
Confidence
97% confidence
Finding
with urllib.request.urlopen(req, timeout=60) as resp:

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill is framed primarily as an inspection/scanning manager, but the documented workflow explicitly includes an execution step that can apply improvements after analysis. This is dangerous because users may invoke a scan expecting read-only behavior, while the tool can progress into repository-modifying actions, creating integrity and change-control risks.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The documentation defines preview mode as 'no execution', but the overall workflow indicates scans may still notify or record learnings/state. That mismatch can cause operators to use dry-run in sensitive environments under the false assumption that it is entirely side-effect free, when metadata or audit state may still be written.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The skill implements cross-persona workspace and memory access, allowing one persona to read another persona's context files and message history without any access-control, consent, or purpose limitation. In this script, that data is later incorporated into summaries and prompts, so private information from other personas can be exposed or influence automated actions.

Context-Inappropriate Capability

High
Confidence
93% confidence
Finding
The script harvests LLM credentials from environment variables, CLI config, and local models.json, broadening access to secrets beyond what is necessary for a simple scan. Because those credentials are then used to transmit repository content and context to external endpoints, compromise or misuse of this skill can leverage existing secrets silently.

Context-Inappropriate Capability

High
Confidence
90% confidence
Finding
The skill can list, comment on, and close GitHub issues through the gh CLI, creating remote side effects not strictly necessary for local scanning. In combination with autonomous execution paths, this allows the tool to alter repository state and issue workflow with little user awareness.

Context-Inappropriate Capability

Medium
Confidence
81% confidence
Finding
This helper implements persistent per-persona profiling by detecting the current agent identity from environment variables or the current working directory and storing approvals, rejections, and metrics across workspaces. In an agent skill context, undisclosed environment and workspace profiling can create privacy and boundary issues, especially because it enables silent accumulation of behavioral history outside the skill folder.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
This scanner is presented as a product-analysis tool, but it also aggregates persona context, preferences, and learnings history and sends them to an external LLM along with repository content. That creates a real data-exposure risk because potentially sensitive local context is transmitted off-box without clear minimization or consent boundaries in this code.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README prominently advertises background operation and automatic project improvement without an equally prominent warning that the tool may autonomously inspect, modify, or act on user repositories. In an agent skill context, that framing can mislead users into enabling autonomous behavior before understanding scope, permissions, and rollback requirements, increasing the chance of unintended code changes or unsafe execution.

Missing User Warnings

High
Confidence
97% confidence
Finding
The Quick Start directly instructs users to enable monitoring, full-auto mode, and recurring scheduling, but does not place a prominent warning before those commands about continuous autonomous actions on user projects. This is especially dangerous because users often copy-paste setup commands verbatim, so the documentation can effectively cause unattended operation without informed consent or staged validation.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
README 明确宣传“安装一次、后台运行、项目自动变好、不需要反复介入”,但没有在同一位置同步强调该能力会持续执行巡检、可能触发自动修改或带来仓库状态变化。对于一个面向代码仓库和 agent/skill 场景的自动化工具,这种弱提示会让用户低估持续执行与自动变更的风险,容易在未充分知情下启用高权限自动化。

Missing User Warnings

Medium
Confidence
94% confidence
Finding
快速开始直接引导用户执行 `set-mode full-auto` 与 `schedule --every 10`,会促使用户在几乎没有风险教育的情况下启用高频、持续的自动执行。结合文档中“巡检引擎 + 执行器”“confirm/approve/reject”“回滚”等描述,可合理推断该模式不仅是只读扫描,还可能造成自动改动、频繁资源占用或对仓库产生持续影响。

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The top-level description markets continuous automatic improvement without an equally prominent warning that the tool may modify project files. This is risky because users may enable or run it based on scanner-like expectations, leading to unintended code changes across monitored repositories.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The workflow includes an execution phase after inspection, but the documentation does not clearly warn that suggestions may be applied automatically. Hidden automation around code changes increases the chance of unauthorized or accidental modifications, especially in shared or production-adjacent repositories.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The sample configuration enables automatic execution of low-risk changes, yet the documentation does not clearly explain the repository modification implications. In practice, 'low-risk' judgments can be wrong, and automatic application across configured repos can introduce silent integrity issues or destructive edits at scale.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The execution preview normalizes automatic execution of changes and references applying them 'per rules' without an explicit, prominent warning that repository files may be modified and later committed. In an agent skill context, that omission can reduce operator awareness and increase the chance of unintended code changes being accepted or executed.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The confirmation templates state 'Committed and pushed' as an expected outcome without ensuring users were previously warned about remote side effects. In an automation setting, documenting push behavior as routine can cause users to overlook that code and history may be altered in a local and remote repository.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The schedule setup instructions encourage unattended recurring scans via cron but do not prominently warn that automated runs may progress into repository-modifying workflows depending on configuration. That creates a real risk of unreviewed or poorly understood automation causing persistent changes over time.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Cross-persona memory and workspace data are loaded and summarized without a clear disclosure at the point of use, so users may not realize private context is being accessed. This increases the likelihood of inadvertent data exposure, especially when summaries are later fed into LLM prompts.

Missing User Warnings

High
Confidence
97% confidence
Finding
The call_llm path sends code snippets, context, and system/user prompts to externally configured endpoints without an execution-time warning or consent step. Since the context may include repository code, workspace files, and memory-derived summaries, this creates a real exfiltration channel to third-party services.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
GitHub issue/comment automation performs remote write actions without prominent user disclosure in the execution path. This can surprise operators and produce unauthorized comments or closures in repositories when the tool is run in automated mode.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The GitHub API integration can automatically create or update issues and PR comments using GITHUB_TOKEN, but the scan flow does not provide strong user-facing disclosure when these writes occur. Because content posted includes scan findings and trends, private project metadata may be published unexpectedly.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The module automatically creates and writes persistent learnings and metrics files without any in-file disclosure, opt-in, or visible notice to the user. Silent disk persistence is risky in agent environments because it can retain operational history, repository identifiers, and decision outcomes across sessions without clear authorization or retention limits.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal