ClawHub

Production Code Audit

Security checks across malware telemetry and agentic risk

Overview

This appears to be a repository audit/fixing skill, but its instructions blur the line between read-only review and autonomous code or workflow changes.

Install only if you are comfortable with a skill that may move beyond analysis into code changes, tests, PR workflow, and issue-management actions. Use it in a disposable branch or sandbox, require an explicit audit-only mode unless you want fixes, and do not allow automatic secret edits or external issue/PR actions without review.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (8)

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The skill declares a safe default of read-only audit mode and says fixes require an explicit user request, but later instructions direct autonomous modification. This contradiction can cause an agent to perform repository-changing actions when a user expected analysis only, violating least surprise and weakening consent boundaries.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The secrets-handling guidance says not to remove or commit secrets, but examples normalize automatic secret replacement in code edits. In practice, this can lead an agent to touch credential-bearing files, accidentally commit sensitive material, or destroy forensic evidence before the user rotates the secret.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The skill says to ask before running tests locally when external dependencies may exist, but later requires automatic test execution without user input. This can trigger unintended network calls, database mutations, service costs, or data corruption in a non-sandboxed environment.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The document repeatedly states fixes are optional or require explicit request, yet best practices and autonomous instructions tell the agent to scan and fix automatically. That inconsistency broadens the effective authority of the skill and increases the likelihood of unauthorized code changes across the repository.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The manifest describes applying changes and PR creation as optional, but the body operationalizes automatic fixing as the default in several places. This mismatch is dangerous because policy engines or users may rely on the metadata summary while the actual instructions drive broader, side-effecting behavior.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
Instructions to create GitHub issues and assign owners extend the skill from auditing into project-management and workflow automation. While likely intended to improve follow-through, these actions can create external side effects, spam trackers, or assign work without user authorization.

Vague Triggers

Medium
Confidence
87% confidence
Finding
Broad trigger phrases like 'make this production-ready' can activate the skill in situations where the user intended advice rather than autonomous repository-wide scanning or modification. In a skill that also contains contradictory auto-fix instructions, loose invocation criteria materially increase the chance of overbroad action.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill directs autonomous code modification, file creation, and verification steps without a strong up-front warning at invocation time about the extent of repository changes. Users may reasonably expect an audit report, yet the skill can proceed to broad edits and test execution, increasing operational and safety risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal