ClawHub

PR Description

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed PR-description helper that can optionally update a GitHub PR only after review and explicit approval.

Install only if you want an agent to use local git or gh for PR-description work. Before approving any update, verify the GitHub account, target PR, generated title, and body because confirmed updates will change the PR on GitHub.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (3)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill is advertised as a PR description generator, but it also instructs the agent to perform a state-changing remote action by editing GitHub PR metadata via `gh pr edit`. That expands scope from summarization into repository modification, which can cause unauthorized or unintended changes if the skill is auto-triggered or the user does not fully understand the side effect.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The capability to modify remote PR content is not justified by the stated purpose of generating PR descriptions and creates an unnecessary write path to an external system. Even with some confirmation language, embedding mutation logic in a content-generation skill increases the risk of confused-deputy behavior, accidental edits, and abuse through broad triggering.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger conditions are overly broad, including essentially any request involving a PR URL or PR-related reading/generation task. In combination with the skill's ability to invoke `gh` commands and potentially update PRs, this broad activation surface makes unintended invocation more likely and increases exposure to external untrusted content and state-changing actions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal