ClawHub

AutoGitHub

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real GitHub management tool, but it needs review because it handles powerful GitHub credentials insecurely and includes an unsafe local command path.

Review before installing. Use a fine-grained GitHub token limited to the repositories you intend to manage, do not pass real tokens in shared shells or logs, ensure .github-manager.json is ignored and protected, avoid untrusted --since values or untrusted repository tags with the changelog script, and inspect any generated GitHub Actions workflows before committing them to a repository.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (17)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The script builds a shell command string for `git log` and appends `sinceTag` directly before passing it to `execSync`. Because `sinceTag` is sourced from CLI input (`--since`) or potentially attacker-controlled repository data, an attacker can inject shell metacharacters and achieve arbitrary command execution in the context of the user running the script.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The workflow states that production deployment requires manual approval, but the step only echoes a message and does not gate execution. This creates a false sense of protection: any qualifying run can proceed directly to production if repository/environment protections are not separately configured, enabling unauthorized or accidental production releases.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The release notes assert that security scans passed even though this workflow contains no security scanning steps. This can mislead operators, auditors, or downstream users into trusting an artifact that was never actually security-validated, increasing the chance that vulnerable code is promoted or consumed.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill documents commands that can create repositories, deploy to environments, roll back releases, create releases, and close issues, but it does not clearly warn that these actions can change production state or cause operational disruption. In an agent setting, presenting these commands as routine usage without confirmation or environment safeguards increases the risk of accidental destructive or production-affecting actions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill asks for a GitHub Personal Access Token with repo permissions and shows inline token configuration examples, but it does not provide a clear warning about secure storage, redaction, logging, or transmission of credentials. In agent workflows, this can lead users to paste sensitive tokens into insecure configuration, chat, shell history, or logs, enabling credential theft and repository compromise.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill includes production deployment and rollback commands that can directly affect live systems, but it does not clearly warn users about service impact, approval requirements, or the risk of accidental production changes. In an agent skill context, exposing high-impact operational commands without explicit safety gates increases the chance of unsafe execution or misuse.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The CLI accepts a GitHub personal access token as a command-line argument and then writes it in plaintext to `.github-manager.json` in the current working directory. Command-line arguments can be exposed through shell history, process listings, logs, and CI telemetry, while plaintext local storage increases the chance of accidental commit, disclosure to other local users, or reuse by malicious code reading the workspace.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script reads a GitHub token from a local JSON config file and uses it directly for API access. Storing long-lived credentials in a plaintext project-adjacent file increases the chance of accidental disclosure through source control, backups, shared workspaces, or overly broad filesystem access.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
"environments": {
      "dev": {
        "branch": "develop",
        "autoDeploy": true
      },
      "prod": {
        "branch": "main",
Confidence
80% confidence
Finding
autoDeploy

Self-Modification

High
Category
Rogue Agent
Content
定期检查更新:
```bash
github self-update
```

查看版本信息:
Confidence
90% confidence
Finding
self-update

Unpinned Dependencies

Low
Category
Supply Chain
Content
"author": "GitHub Manager Team",
  "license": "MIT",
  "dependencies": {
    "@octokit/rest": "^20.0.2",
    "commander": "^11.0.0",
    "chalk": "^4.1.2",
    "inquirer": "^8.2.6",
Confidence
91% confidence
Finding
"@octokit/rest": "^20.0.2"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"license": "MIT",
  "dependencies": {
    "@octokit/rest": "^20.0.2",
    "commander": "^11.0.0",
    "chalk": "^4.1.2",
    "inquirer": "^8.2.6",
    "ora": "^5.4.1",
Confidence
91% confidence
Finding
"commander": "^11.0.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"dependencies": {
    "@octokit/rest": "^20.0.2",
    "commander": "^11.0.0",
    "chalk": "^4.1.2",
    "inquirer": "^8.2.6",
    "ora": "^5.4.1",
    "figlet": "^1.6.0",
Confidence
91% confidence
Finding
"chalk": "^4.1.2"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"@octokit/rest": "^20.0.2",
    "commander": "^11.0.0",
    "chalk": "^4.1.2",
    "inquirer": "^8.2.6",
    "ora": "^5.4.1",
    "figlet": "^1.6.0",
    "boxen": "^5.1.2"
Confidence
91% confidence
Finding
"inquirer": "^8.2.6"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"commander": "^11.0.0",
    "chalk": "^4.1.2",
    "inquirer": "^8.2.6",
    "ora": "^5.4.1",
    "figlet": "^1.6.0",
    "boxen": "^5.1.2"
  },
Confidence
91% confidence
Finding
"ora": "^5.4.1"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"chalk": "^4.1.2",
    "inquirer": "^8.2.6",
    "ora": "^5.4.1",
    "figlet": "^1.6.0",
    "boxen": "^5.1.2"
  },
  "devDependencies": {
Confidence
91% confidence
Finding
"figlet": "^1.6.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"inquirer": "^8.2.6",
    "ora": "^5.4.1",
    "figlet": "^1.6.0",
    "boxen": "^5.1.2"
  },
  "devDependencies": {
    "eslint": "^8.56.0",
Confidence
91% confidence
Finding
"boxen": "^5.1.2"

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal