ClawHub

perfguard

Security checks across malware telemetry and agentic risk

Overview

PerfGuard is mostly a disclosed local performance scanner, but some paid features can change repository state and its license handling is not robust enough for sensitive execution contexts.

Review before installing. Basic scans are local and purpose-aligned, but run trend analysis only in a clean or disposable worktree, install hooks only in repositories where persistent pre-commit scanning is wanted, and avoid untrusted or manually crafted license tokens until license verification and parsing are hardened.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill advertises shell execution and likely network-capable behavior through installation, hook management, and license-related operations, yet declares no permissions. This weakens user consent and platform enforcement because a user may invoke a seemingly simple scanner without visibility that it can modify the repo, run system tools, or potentially access external resources.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill description frames the tool as a local performance scanner, but the documented behavior includes license handling, reading user config, installing git hooks, writing reports, and traversing git history. That mismatch can cause users to approve execution under incomplete assumptions, increasing the risk of unintended persistence, filesystem changes, and broader repository access.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
The trend-analysis feature performs `git checkout` across historical commits, which mutates the user's working repository despite the skill being presented as a scanner. In an agent/automation context, repository state changes can disrupt uncommitted work, alter the current branch/HEAD unexpectedly, and create unsafe side effects far beyond passive analysis.

Context-Inappropriate Capability

High
Confidence
92% confidence
Finding
Implementing repository-switching capability is risky because it gives a nominally read-only scanner a write-like operational side effect on the developer's repo state. That mismatch increases the chance of surprise execution in CI or local agent runs, where branch/commit switching can interfere with builds, hooks, user edits, or chained tooling that assumes the repository remains stable.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The JWT verification is fail-open: if CLAWHUB_JWT_SECRET is not set or openssl is unavailable, the code accepts any structurally valid 3-part token with a non-empty signature and then trusts claims from its payload. An attacker can forge a fake license by supplying arbitrary header/payload/signature text, bypassing tier enforcement and causing the script to trust unauthenticated license claims.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The script goes beyond passive scanning and can modify repository state by creating or appending to lefthook.yml and installing Git hooks. That behavior is not inherently malicious, but it expands the skill's authority and persistence in a way users may not expect from a 'scanner', increasing trust and supply-chain risk if the hooked scripts later change or are abused.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
Including install/uninstall capabilities for repository hooks introduces persistent code execution on future commits, which is materially different from one-time analysis. In a security review, that is a meaningful capability expansion because it alters developer workflow and can cause ongoing execution of sourced shell scripts from a user-controlled path.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The invocation examples are broad and overlap with common developer requests, making accidental triggering more likely. Because this skill can do more than read-only scanning—such as install hooks, write reports, and inspect git history—over-broad activation raises the chance of unintended execution with side effects.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
`git checkout "$commit_hash"` changes repository state without an inline warning or consent at the point of execution. Even if intended for historical scanning, this can discard developer context, trigger unintended tool behavior, and leave the repo in a detached HEAD or other unexpected state if restoration fails.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The install path writes to or appends to repo_root/lefthook.yml without a strong up-front disclosure that a repository configuration file will be modified. While the user invoked install, the lack of explicit file-write warning reduces informed consent and can surprise users in shared repositories or automated environments.

Missing User Warnings

Low
Confidence
79% confidence
Finding
The uninstall flow rewrites lefthook.yml via awk and mv, but does not clearly disclose beforehand that repository configuration will be edited. This is low severity, yet risky because automated text removal can damage unrelated configuration if the pattern matching behaves unexpectedly.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal