ClawHub

Code Diff Tool

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed diff tool, but its Git mode can execute user-controlled shell commands and needs review before installation.

Install only if you trust and can review the JavaScript. Avoid the Git mode with untrusted input, and prefer a patched version that uses execFile or spawn with a strict read-only Git allowlist and explicit confirmation for repository operations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The skill metadata and headline framing present it primarily as a side-by-side diff viewer, but the documented behavior is much broader: HTML file generation, directory comparison, and git-backed operations. This mismatch can cause users or orchestrators to invoke the skill under narrower trust assumptions than warranted, increasing the chance of unintended file writes or repository command execution.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The skill is presented as a diff viewer, but it also exposes a `git` path that runs arbitrary git subcommands supplied by the user. Because this is implemented through `execSync` with a shell command string, the capability exceeds the stated purpose and can be abused to execute unintended commands in the repository context.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
`execSync(`git ${args}`)` interpolates user-controlled input directly into a shell command, creating a command injection primitive. An attacker can supply shell metacharacters or crafted arguments to execute arbitrary OS commands, not just git operations, which can lead to code execution, data loss, or credential exposure.

Vague Triggers

Medium
Confidence
87% confidence
Finding
Broad trigger keywords like 'diff', 'compare', and 'side-by-side' are likely to collide with ordinary user requests, causing accidental activation. In an agent environment, ambiguous routing can expose local files, compare unintended paths, or trigger more capable operations than the user expected.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The natural-language invocation examples encourage activation from generic phrases such as 'diff file A and file B' and 'show me changes between these two versions,' which are common requests that may match many contexts. This raises the risk of the wrong skill being auto-selected and performing file comparisons or related operations without sufficiently explicit user intent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code executes user-supplied git arguments immediately and silently, with no warning, confirmation, or indication that shell execution is occurring. In this context, the missing safety boundary makes accidental or malicious destructive invocation more likely, especially since users may reasonably expect a viewer-only tool.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal