ClawHub

Skylv Diff Viewer

Security checks across malware telemetry and agentic risk

Overview

The diff viewer mostly matches its purpose, but its Git mode can execute unvalidated user-supplied text through the local shell.

Review carefully before installing. Basic file and directory diffing appears purpose-aligned, but avoid Git mode unless it is changed to use a non-shell argument array and a read-only allowlist. Only run it on files and repositories you explicitly choose, and avoid untrusted HTML export titles.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The skill metadata frames the tool narrowly as a side-by-side diff viewer, but the documented behavior includes broader capabilities such as HTML file generation, directory comparison, and git command execution. That mismatch can mislead users or orchestrators into granting broader trust or invoking the skill in contexts where filesystem access and subprocess-backed git operations carry more risk than a simple viewer.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The `git` command path allows the user to supply arbitrary extra arguments which are concatenated into a shell command and executed with `execSync`. Although presented as a diff viewer, this behavior materially expands the skill into a general git command runner, enabling dangerous operations through git flags, aliases, or shell metacharacter injection if untrusted input reaches this interface.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
`execSync(`git ${args}`)` executes through the shell, so user-controlled `gitArgs` can inject additional shell commands or invoke unsafe git behaviors. In a tool whose stated purpose is viewing diffs, spawning unrestricted subprocesses is unnecessary and creates a clear command-execution surface.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Broad trigger keywords like 'diff' and 'compare' are likely to match ordinary user requests outside the intended scope, causing accidental invocation of a skill that may access files, directories, or repositories. In an agent environment, this increases the chance of unintended data exposure or execution of higher-privilege behaviors when the user did not explicitly request this tool.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The natural-language examples ('diff file A and file B', 'show me changes between these two versions') are underspecified and do not impose constraints on paths, repositories, or output destinations. In agentic use, ambiguous examples encourage loose routing and parameter inference, which can lead to comparing unintended files, traversing directories, or operating on sensitive repos without clear user confirmation.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code joins user-supplied git arguments into a shell command without warning and executes it in the repository directory. This is dangerous both because shell injection is possible and because even non-injected git options can trigger network access, hooks, pagers, or other side effects beyond simple diff viewing.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal