ClawHub

Prompt Request Pipeline

Security checks across malware telemetry and agentic risk

Overview

This skill openly automates GitHub coding work, but it gives a webhook-driven agent broad write and merge authority without enough authorization and review controls.

Install only for repositories where all issue authors, PR commenters, and webhook sources are trusted. Use least-privilege GitHub credentials, disable or gate auto-merge, require maintainer approval and passing CI before merge, avoid treating missing CI as success, and do not enable Telegram delivery for private or sensitive repositories unless that data flow is approved.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly advertises a fully automated pipeline that can implement code, create PRs, review, merge, and close issues, but it does not present a prominent warning about the scope and risk of these repository-changing actions. In this context, a user can trigger material source-control changes from issue text alone, which increases the chance of accidental destructive changes, unsafe merges, or abuse via crafted issue content.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The configuration enables unsafe external content handling and forwards workflow data to Telegram, but the skill does not clearly warn users that GitHub event payloads, repository metadata, issue/PR content, and generated outputs may be transmitted to third-party systems. Because this pipeline processes untrusted webhook content and may include proprietary code or sensitive repository context, the privacy and data-exfiltration risk is substantial.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The issue_comment handling is underspecified and effectively treats any PR comment that 'requests changes' as authorization to modify code. In a GitHub automation context, that can let untrusted commenters or ambiguous natural-language comments trigger repository changes, creating a workflow-injection path and unintended code modification risk.

Missing User Warnings

High
Confidence
95% confidence
Finding
The template instructs the agent to clone repositories, implement issue content, commit, push, open PRs, and potentially merge with no explicit safety confirmation or user-facing warning at execution time. Because issue bodies, PRs, and comments are attacker-controllable in many repos, this creates a high-risk prompt-injection and unsafe automation channel that can turn untrusted text into repository-modifying actions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal