ClawHub
Back to skill

Security audit

migratesafe

Security checks across malware telemetry and agentic risk

Overview

MigrateSafe is a local database migration scanner whose report output and git hook changes are documented, user-invoked, and proportionate to its purpose.

Install this if you want a local migration safety checker. Before using paid features, expect it to read a local license key. Before running hooks install, be aware it changes the current repository's lefthook configuration and may block commits with high-risk staged migrations. The report command may create a markdown report in the working directory, so run it from a location where that file is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The skill includes report-generation behavior that writes a new Markdown file to disk, which exceeds a narrow 'checker' role and creates side effects in the working directory. While the content is locally generated rather than attacker-supplied, silent file creation can overwrite user expectations, leak scan results into repositories or CI artifacts, and be abused in automation contexts where read-only analysis is assumed.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Installing git hooks modifies repository state and changes future commit behavior, which can surprise users and affect developer workflows if not preceded by an explicit warning and confirmation. In an agent setting, repo-modifying actions are sensitive because they persist beyond the immediate command and may block commits or introduce new project files without the user fully understanding the side effects.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script writes the report directly to disk without a user-facing warning, confirmation, or safe-output guardrails. In agentic, CI, or pre-commit contexts, this can unexpectedly create files containing repository metadata and security findings, which may then be committed, exposed in logs/artifacts, or interfere with workflows.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal