ClawHub

Feishu Ai Coding Assistant

Security checks across malware telemetry and agentic risk

Overview

This skill should go to Review because its artifacts appear to expose credentials and perform high-impact publishing actions while also overstating what its operational commands actually do.

Do not install this as-is unless you have reviewed the source carefully. The publisher should remove and rotate any embedded tokens, add explicit confirmations or dry-run behavior before external publishing and git pushes, and make the command descriptions truthful about whether actions are executed or only shown as examples.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The script performs Git remote configuration and pushes to GitHub, which modifies an external source-control repository. In a publish helper this can be legitimate, but here it is coupled with embedded credentials and automatic execution, so running the script can cause unintended remote writes and repository changes without meaningful operator safeguards.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The file-level comments and feature list claim the skill can automatically detect/install tools and create/manage sub-agent sessions, but the implementation only returns instructional or placeholder text. This is a deceptive capability mismatch that can mislead users into trusting automation that does not exist, causing operational mistakes and unsafe assumptions about environment state or task execution.

Intent-Code Divergence

Low
Confidence
96% confidence
Finding
The function documentation says it checks whether a tool is installed, but the body never executes the check command and always returns not installed. This can mislead downstream logic or operators into reinstalling tools unnecessarily or making incorrect decisions based on false environment status.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The help and command handlers present install/check/status/kill/steer/run as supported operational commands, but most branches only print example commands or note that real execution would happen elsewhere. In a security-sensitive agent environment, this creates a false sense of control and observability, which can lead users to believe agents were started, steered, or terminated when no action occurred.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly promotes automatic installation of developer tools and background sub-agent execution, but it does not clearly warn users that this can modify the local system, install global packages, write files, and execute code with access to project data. In an agent skill context, these capabilities materially increase the risk of unintended system changes or supply-chain exposure if users invoke the skill without understanding its side effects.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The installation example includes a global npm install command for a coding tool without any warning about the risks of executing third-party packages globally. This can expose users to supply-chain compromise, PATH-level persistence, and unintended host modification, especially when presented as a normal one-step workflow inside an automation-oriented skill.

Missing User Warnings

High
Confidence
99% confidence
Finding
The file contains hardcoded ClawHub and GitHub tokens directly in the script, exposing live credentials to anyone who can read the file, logs, shell history, or repository contents. These secrets are then used for authenticated publishing and repository modification, creating immediate risk of account compromise, unauthorized publication, and source-control abuse.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script logs into external services and publishes to ClawHub and GitHub automatically, causing authenticated network actions that can disclose code or create/update remote artifacts. Because this is a publish script, some outbound activity is expected, but the absence of clear safety prompts, dry-run mode, or confirmation makes accidental or unauthorized publication materially more dangerous.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal