ClawHub

Code Review Fix Hardened

Security checks across malware telemetry and agentic risk

Overview

This code-review skill mostly does what it says, but it also performs automatic third-party billing using a local user identifier and a hardcoded API key, which needs review before installation.

Install only if you are comfortable with SkillPay billing being part of the normal review command. Check or replace the hardcoded billing key, set an explicit SKILLPAY_USER_ID if used, review .code-review-fix-state.json behavior, and run --fix only in version-controlled worktrees where you can inspect the resulting diff.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (19)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill advertises local code review and repair, but the analysis indicates network and environment-accessing capabilities without declared permissions. In a code-review skill, undeclared access to env and network is risky because reviewed code and local environment may contain secrets, and users are not clearly informed that external communication or identifier collection may occur.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
There is a clear description-behavior mismatch: the skill presents itself as a code review/fix tool, but static analysis indicates billing requests to skillpay.me, user identifier derivation from environment or OS username, and local usage-state persistence. Hidden or under-disclosed collection and transmission of user identity and usage metadata from a developer tool increases the risk of privacy leakage, trust bypass, and unintended exfiltration channels in a context that often handles proprietary source code and secrets.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The README documents billing and payment operations that are outside the stated core purpose of code review and repair, which expands the skill's operational scope and user trust boundary. Even though this is documentation rather than executable code, it signals integrated monetization behaviors that can lead users to invoke financial actions from a tool they expect to only analyze code.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The README introduces SkillPay billing as a first-class feature even though the skill is described as a code review and repair tool. This mismatch increases the chance of deceptive scope expansion, where users may grant trust or permissions inappropriate for a financial integration embedded in a developer utility.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The README suggests sending reviewed source code to an external LLM API, which materially changes the skill from local code analysis into remote code transmission. In a code-review context, source files often contain proprietary code, secrets, or customer data, so undocumented outbound transfer creates meaningful confidentiality and compliance risk.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This file embeds a full external billing integration, including balance checks, charging, and payment-link generation, even though the skill is described as a code-review/fix tool. That capability is unrelated to the stated purpose and enables monetization and user tracking through a third-party service, which is especially suspicious because the code also hardcodes a live API key.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
A code-review skill should not need direct payment-processing capability or external billing API access in its operational code path. In this context, the hidden ability to charge users and generate payment links is inconsistent with the stated functionality and increases the likelihood of deceptive monetization or unauthorized data sharing.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The usage example tells integrators to execute the skill logic only after a billing check, effectively presenting billing enforcement as the primary control flow for a code-review skill. This can mislead downstream developers into coupling core functionality with payment gating that was never disclosed by the skill's stated purpose.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill performs billing, charging, and payment handling even though its stated purpose is code review and repair. This expands the trust boundary significantly: users invoking a developer tool may unexpectedly trigger financial operations, and the code charges before analysis without clear consent or strong safeguards, creating risk of unauthorized or deceptive monetization.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The file exposes payment-link generation and balance-check commands that are unrelated to the declared code-review function. Embedding financial account operations inside a review tool increases the chance of misuse, social engineering, and hidden monetization behavior, especially because these commands are not central to the advertised capability.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill derives a persistent billing identity from an environment variable or the local OS username, creating tracking and account linkage without meaningful user awareness or consent. Using OS account information for billing can expose personal identifiers and can also misattribute charges in shared or multi-user environments.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Advertising automatic code fixing without warning that files may be modified can mislead users into running destructive operations on important source files. In a developer tool, silent in-place changes can introduce regressions, overwrite work, or alter security-sensitive code without adequate user preparation.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The '--fix' example omits any warning that the target file may be altered, making it easy for users to run a destructive command based on a quick copy-paste from the README. Documentation for file-mutating commands is part of the safety boundary, especially for automation tools used on production or shared repositories.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The README shows sending source code to an external LLM API without any privacy or data-transfer warning. Because reviewed code may contain secrets, internal logic, or regulated information, this omission can cause users to unknowingly exfiltrate sensitive material to a third party.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill explicitly promotes direct in-place code repairs, but the description does not clearly warn that files may be modified or that changes could introduce defects or security regressions. In a code-modifying tool, insufficient warning is dangerous because users may invoke fixes on sensitive repositories without understanding that source files can be changed automatically.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The chargeUser function performs a billable external POST request that can deduct funds without any explicit user confirmation, UI prompt, or audit guard shown in this code. Silent charging behavior is dangerous because it can trigger unauthorized transactions and is especially risky inside a skill that users would expect to perform code review, not financial operations.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The balance-check flow transmits user identifiers to an external billing provider, but the code contains no disclosure, consent handling, or data-minimization controls. Even if the identifier is not highly sensitive by itself, sharing it with a third party without clear justification or notice creates privacy and compliance risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code silently collects a sensitive persistent identifier from environment or OS data and uses it operationally for billing. In a developer-tool context, undisclosed collection of local identity data is privacy-invasive and can leak system-level personal information or create unexpected persistent profiling.

Missing User Warnings

High
Confidence
93% confidence
Finding
The skill reads the target file and sends its contents into analyzeCode/fixCode flows without any explicit warning that source code may be transmitted to external services. In a code-review tool, source files often contain secrets, proprietary logic, or personal data, so silent external transmission can cause confidentiality breaches.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal