Back to skill

Security audit

Opensource Skill To Github

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real publishing helper, but it deserves review because it can send local skill source code to public services and has persistent credential handling that needs careful use.

Install only if you are comfortable with shell scripts that read and copy local skill directories, create git repositories, and publish source to GitHub, clawhub.com, or skillhub.cn. Prefer gh auth token or a credential manager, do not put plaintext OSG_GITHUB_TOKEN in the profile, review strip_scan output and the exact publish file list, and revoke any one-time tokens after use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill documents shell and file-read operations but does not declare permissions, creating a capability transparency gap. In an agent environment, undocumented shell/file access increases the chance that a user or orchestrator invokes the skill without understanding it can read local content and run commands affecting repositories and files.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The manifest understates behavior by omitting persistent profile storage, plaintext token support, and a separate skillhub.cn publishing path. This is dangerous because users may consent to a GitHub-only publishing workflow while the skill also supports credential persistence and additional outbound publication, expanding data exposure and trust boundaries.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The documented workflow includes publishing to skillhub.cn, but the manifest omits this separate distribution channel. Hidden outbound publishing destinations are security-relevant because they can cause unanticipated code disclosure to third-party platforms and bypass a user's expectation of where their content will be sent.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The skill's hard rules say the original skill must never be modified, yet Step 1 offers 'direct evolution' of the original skill as an option. This contradiction can lead operators or downstream automation to modify the source skill in place, risking accidental leakage of internal content or corruption of the original repository.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code executes `OSG_GITHUB_TOKEN_CMD` via `sh -c`, and that value can come from `profile.env` or the environment without validation. This makes the profile effectively code-executable rather than data-only, so any attacker who can modify the profile or influence the environment can run arbitrary shell commands in the context of the calling script, not just retrieve a token.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The script intentionally stores profile data under the user's home config directory and explicitly advertises cross-agent, cross-workspace reuse. That persistence expands the trust boundary beyond the local skill/workspace described in the skill metadata, increasing the chance that later agents or unrelated processes consume sensitive publishing identity data unexpectedly.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The skill metadata says tokens should never be written to persistent locations, but the generated profile comments explicitly permit storing OSG_GITHUB_TOKEN in plaintext in profile.env. Even with chmod 600, plaintext credential storage creates a durable secret exposure risk through backups, endpoint compromise, shell tooling, and accidental disclosure.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill metadata says the optional public destination is clawhub.com, but this script publishes to skillhub.cn instead. That mismatch creates a trust and disclosure problem: a user may consent to publication to one service while the skill actually transmits code and metadata to a different third-party platform, causing unintended source disclosure and token use.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
This function silently runs a shell command to obtain credentials, with no user-visible disclosure at the operation site. In a skill that promises careful token handling and interactive decision points, hidden command execution increases the chance that a user unknowingly triggers code from a mutable profile file or environment, which can lead to credential theft or unexpected side effects.

External Transmission

Medium
Category
Data Exfiltration
Content
# Usage: SKILLHUB_CN_TOKEN=skh_xxx ./skillhub_cn_publish.sh <fork-abs-path>
#
# 协议(2026-07-13 实测):
#   POST https://api.skillhub.cn/api/v1/community/skills/publish
#   Content-Type: multipart/form-data ; Authorization: Bearer skh_xxx
#   field "payload" (JSON): slug / name / displayName(必填) / summary / description / version
#   field "files" (repeated): 每个源码文件(白名单外的文件会被平台拒收)
Confidence
97% confidence
Finding
https://api.skillhub.cn/

Credential Access

High
Category
Privilege Escalation
Content
| Channel | Auth |
| --- | --- |
| **clawhub** | `CLAWHUB_TOKEN`, obtained via `clawhub login` web flow (fully independent system) |
| **GitHub** | Personal Access Token (PAT), **completely independent** from clawhub |
| **skills.sh** | No independent token — indexed via GitHub repo, sync uses the GitHub PAT |

⚠️ GitHub push over a restricted network uses an `Authorization: Basic base64(x-access-token:TOKEN)`
Confidence
68% confidence
Finding
Access Token

Credential Access

High
Category
Privilege Escalation
Content
# setup_profile.sh — 首次引导:交互式收集开源身份 + 写入持久化 profile
#
# 写入位置(XDG 兼容):
#   ${XDG_CONFIG_HOME:-$HOME/.config}/opensource-skill-to-github/profile.env
#
# 跨 agent 工作:profile 在用户 $HOME 下,不在 skill 目录、不在 workspace;
# 重装 skill / 切 agent / 换 workspace 都不丢;权限 600 不可被其他用户读。
Confidence
74% confidence
Finding
.env

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/git_init.sh:96