Back to skill

Security audit

Skill Publish Tool

Security checks across malware telemetry and agentic risk

Overview

This skill is a legitimate publishing helper, but it can automatically change files, commit and push to Git, publish to ClawHub, and contains an unsafe shell-command pattern users should review before installing.

Install only if you intend to automate publishing and are comfortable with the skill changing local files, committing, pushing to the configured Git remote, and publishing to ClawHub. Review diffs and targets first, avoid passing untrusted changelog or commit text into the script, prefer the skip flags or manual publish steps for sensitive repositories, and avoid the force-push troubleshooting path unless you fully control the branch.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def run_cmd(cmd, cwd=None):
    """执行 shell 命令"""
    print(f"🔧 执行:{cmd}")
    result = subprocess.run(cmd, shell=True, cwd=cwd, capture_output=True, text=True)
    if result.stdout:
        print(result.stdout.strip())
    if result.returncode != 0 and result.stderr:
Confidence
99% confidence
Finding
result = subprocess.run(cmd, shell=True, cwd=cwd, capture_output=True, text=True)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script's command runner accepts arbitrary command strings and is used across git and publish operations, while embedding external inputs directly into those commands. In an agent skill context, this broad shell execution surface exceeds the narrow publishing purpose and can be abused to run attacker-chosen commands on the host.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The report explicitly advertises automatic Git push and ClawHub publishing, but it does not clearly warn that using the skill will modify repository files and may publish changes to remote services. In an agent-driven context, this increases the risk of unintended commits, pushes, or marketplace publication when a user or downstream system interprets the capability as routine automation rather than a sensitive, side-effecting action.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README advertises automatic Git commits/pushes and one-click external publishing, but does not clearly warn users that the tool can modify remote repositories and publish artifacts outside the local machine. In an agent skill context, this is risky because users may invoke the skill expecting convenience automation without realizing it performs high-impact remote actions that can expose code, overwrite history, or publish unintended changes.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation describes automatic file modification, Git push, and ClawHub publication as normal behavior, but it does not clearly warn that these actions can change local files, create commits, push to remote repositories, and publish externally. In a skill ecosystem, that omission is dangerous because users may treat invocation as low-risk tooling when it can trigger irreversible or externally visible actions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The guide explicitly states that running the publish workflow will modify version files, update README content, commit and push to Git, and publish remotely, but it does not prominently warn users that these are side effects with potentially irreversible consequences. In a skill intended to automate publishing, these actions are expected, but the lack of a clear pre-execution warning increases the risk of accidental repository changes or unintended remote publication.

Missing User Warnings

High
Confidence
97% confidence
Finding
The troubleshooting guidance recommends `git push --force` as a solution for remote-history conflicts without a strong warning that it can overwrite remote history and destroy collaborators' work. Even in a publishing skill, presenting force-push as a normal remediation materially increases the chance of destructive misuse.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The package description states that the skill will automatically update a GitHub repository and publish to ClawHub, but it does not define user-confirmation requirements, target-repository constraints, or limits on what may be changed. In a skill whose purpose is to perform release automation, vague scope increases the risk of unauthorized commits, pushes, version bumps, or publication to the wrong destination if downstream logic interprets broad user requests too permissively.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.