ClawGator Superpowers

Security checks across malware telemetry and agentic risk

Overview

The skill is a legitimate development workflow package, but it grants broad automatic influence over the agent and can run repo-changing or project-controlled commands with limited confirmation.

Install only if you want this skill to actively steer development sessions. Review the startup hook, broad activation rules, worktree setup commands, .gitignore commit behavior, dependency install/build/test steps, and branch finishing actions before enabling it in important repositories.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (32)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 92% confidence
Finding: The documented purpose presents this as a development-process skill, but the analyzed behavior includes additional capabilities such as filesystem scanning, session-context injection, git network operations, and auxiliary tooling not disclosed in the top-level description. That mismatch is security-relevant because users and downstream agents may grant trust or trigger the skill under false assumptions, enabling broader actions than expected.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The skill's Step 5 says cleanup applies to Options 1, 2, and 4, but elsewhere the document says Option 2 should keep the worktree. This inconsistency can cause an agent to remove the worktree after pushing and creating a PR, potentially deleting a local working context the user expected to preserve and causing workflow disruption or loss of uncommitted local state in that worktree.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: This prompt is a pressure test that explicitly frames the documented debugging process as financially irresponsible and socially costly, pushing the user toward skipping verification and deploying an untested patch. In an operational engineering skill, that kind of instruction can normalize unsafe incident response, increase the chance of incorrect fixes, and compound outages or introduce security/reliability regressions under pressure.

Intent-Code Divergence

Medium

Confidence: 91% confidence
Finding: The file directly cites the systematic debugging skill and then argues against its prescribed steps, undermining the safety and reliability constraints of the parent skill. This is dangerous because it teaches users that documented process should be discarded when under business pressure, which is exactly when disciplined incident response is most important.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to edit and commit `.gitignore` automatically when a worktree directory is not ignored. That changes repository history and state beyond the narrowly scoped goal of creating an isolated worktree, and it does so without explicit user approval. In an automated agent context, unsolicited commits are risky because they can introduce policy violations, unexpected branch pollution, or conceal unrelated changes under a seemingly routine setup action.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The skill directs automatic execution of dependency installation, builds, and tests (`npm install`, `cargo build`, `pip install`, `poetry install`, `go mod download`, test runners) as part of setup. These commands execute untrusted project-controlled code and hooks, can fetch remote content, and may have significant side effects on the system or network. That exceeds the core responsibility of worktree creation and meaningfully increases attack surface.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger keywords are extremely generic development verbs like "build," "create," "fix," and "debug," which are common in ordinary user requests. In a skill that auto-activates workflows, this can cause unintended invocation and unexpected execution of additional actions such as planning, worktree creation, or other repo-affecting operations without clear user intent.

Vague Triggers

High

Confidence: 97% confidence
Finding: The rule requiring invocation whenever there is even a 1% chance the skill might apply creates an effectively universal and ambiguous activation condition. That dramatically increases the chance of the skill taking over unrelated requests and initiating actions the user did not specifically authorize, especially given the skill's development and git automation scope.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The README describes automatic creation of git worktrees and branch wrap-up actions including merge, PR, keep, or discard, but does not prominently warn that these operations modify repository state and may have destructive outcomes. In an agent skill, unclear disclosure around repo-mutating behavior increases the risk of accidental branch changes, lost work, or unsafe automation.

Vague Triggers

High

Confidence: 95% confidence
Finding: Automatic triggers on generic words like 'build', 'create', 'implement', 'fix', and 'add' are so broad that the skill may activate during ordinary conversation or unrelated tasks. In a skill that orchestrates planning, subagents, git worktrees, and other development actions, unintended invocation expands the attack surface and can cause unreviewed context loading or action chaining.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The rule stating the skill must be invoked whenever there is even a 1% chance it applies creates an effectively unbounded activation condition. This encourages over-triggering, reduces operator discretion, and increases the likelihood that the skill will run in contexts where its broader workflow and tool integrations are unnecessary or unsafe.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The command description states it "MUST" be used before any creative work, including creating features, adding functionality, or modifying behavior, which makes the trigger scope extremely broad. In an agent skill system, such broad preconditions can force routine development activity through an external skill path, increasing the chance of prompt/behavior hijacking, unnecessary privilege expansion, or workflow lock-in across many otherwise unrelated tasks.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The command description is broad and generic, and the body delegates behavior to another skill with an instruction to follow it exactly. That creates an overly permissive trigger surface and can cause the agent to invoke planning behavior in situations where tighter scoping, validation, or user confirmation should be required, especially because the referenced skill content is not constrained here.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The README instructs users to fetch and follow installation instructions from a remote raw GitHub URL without presenting the contents inline or warning users to inspect them first. This creates a supply-chain and social-engineering risk: the remote file can change over time and may contain unsafe commands that users or agents execute blindly.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README instructs users to run destructive removal commands (`rm -f` / `rm -rf`) against paths under their configuration directory without an explicit warning that existing files or directories at those paths will be deleted or replaced. While scoped to expected install locations, this can still cause unintended data loss if a user previously stored custom plugins or skills there or if the path is not what they expect.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The Windows instructions delete existing plugin and skills paths with `del` and `rmdir` but do not clearly warn that prior contents may be removed or replaced. This creates a real risk of accidental deletion of user-managed configuration or custom skill directories during installation or reinstallation.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The design explicitly bootstraps every session with a full inventory of available skills and their directories, which increases unnecessary disclosure of local capability metadata and filesystem layout. Even if this is intended for convenience, exposing this information by default broadens the attack surface for prompt injection or malicious instructions that can target specific skills, scripts, or directories once they are revealed.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The installation guide tells users to install and enable a plugin that, per the plan, automatically runs a git fetch/network check on session start and exposes tools that can read skill files and influence agent behavior, but it does not disclose that automatic behavior. This is dangerous because users cannot provide informed consent about code that will execute shell and network operations automatically when OpenCode starts.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The document recommends running broad process-kill commands like `pkill -f "<service-pattern>"` as standard subagent hygiene, but it does not require scoping, confirmation, or safeguards to ensure only the intended test process is terminated. In an agent skill context, this is dangerous because automated or semi-automated execution could kill unrelated user processes or developer services, causing data loss, disrupted work, or misleading test outcomes.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documentation explicitly instructs users to run tests with `--permission-mode bypassPermissions`, which disables Claude's safety guardrails during execution. While this is presented as a testing convenience, it materially increases the risk that a skill under test can write files, modify repositories, or access granted directories without meaningful runtime protection, especially in a framework that runs real headless sessions.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The test template combines `--allowed-tools=all` with `--permission-mode bypassPermissions`, effectively creating an unrestricted execution environment for real Claude Code sessions. In the context of testing skills that may be adversarial or buggy, this can lead to filesystem changes, command execution, git history modification, or other unintended side effects without sufficient warning to the operator.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The hook matcher is broad enough to fire on several common session lifecycle events, causing the referenced shell script to execute automatically in many contexts without additional scoping or user confirmation. In a development-assistant skill, this increases the attack surface because any risky behavior in session-start.sh would run repeatedly and implicitly, making abuse or accidental side effects more likely.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The skill description says it 'MUST' be used before any creative work, including broad activities like creating features or modifying behavior. That kind of mandatory, expansive trigger can cause the agent to invoke the skill in many situations where the user did not explicitly request it, increasing the chance of unnecessary repo inspection, workflow interference, or unintended follow-on actions. In this context, the danger is elevated because the skill later instructs file writes and git commits, so accidental invocation can cascade into workspace changes.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly instructs writing a design document to the repository and committing it to git, but it does not require an explicit warning or user confirmation before modifying the workspace. This can lead to unauthorized or surprising state changes, especially if the skill is auto-invoked or used in read-only advisory contexts. The surrounding skill context makes this more dangerous because the workflow also encourages continued automation into worktrees and implementation planning, increasing the likelihood of compounding unintended changes.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: Option 2 instructs the agent to run `git push` and `gh pr create` without a distinct warning that code, commit history, branch names, and PR metadata will be transmitted to remote services. In an agent skill, this is risky because users may interpret selecting 'create a Pull Request' as a local workflow step, while it actually publishes repository content externally.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal