ClawHub

Git Deploy

Security checks across malware telemetry and agentic risk

Overview

This Git deployment skill mostly does what it says, but it exposes a plaintext repository token and can publish all local changes with little user control.

Review before installing. Do not use this version with the exposed token present; revoke or rotate that token, remove secrets from the skill, and only use a version that relies on normal Git credentials, shows status or diff, and asks for confirmation of the remote, branch, and push.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The skill documentation explicitly exposes and depends on a pre-configured access token for authenticated git operations. This turns a nominally local workflow into one that handles live credentials and remote repository access, increasing the risk of credential leakage, unauthorized pushes, and downstream compromise if the token is reused or over-privileged.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The documentation frames the skill as a simple local git helper, but it actually performs authenticated remote repository access using a configured URL and token. This mismatch is dangerous because it can mislead users and agents into transmitting code or metadata off-host without informed consent, reducing scrutiny around a sensitive operation.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill omits an explicit warning that using it will transmit repository contents to a remote server and may use stored credentials. In the context of an automation skill, this lack of disclosure is risky because users may invoke it expecting only local actions, leading to unintended data exfiltration or unauthorized publication of changes.

Natural-Language Policy Violations

High
Confidence
100% confidence
Finding
A hard-coded repository token is directly embedded in the skill documentation, which is a clear credential exposure and policy violation. Anyone with access to the skill file can potentially reuse the token to access the repository, push malicious commits, read private content depending on scope, or pivot into related systems if the token has broader privileges.

VirusTotal

54/54 vendors flagged this skill as clean.

View on VirusTotal