ClawHub

ci-package-deploy-notify

Security checks across malware telemetry and agentic risk

Overview

This skill has a clear CI/CD notification purpose, but it bundles high-impact Jenkins, Feishu, and GitHub credentials and has insufficient URL scoping around authenticated Jenkins polling.

Do not install this as-is in a shared or public environment. Rotate the exposed GitHub, Feishu, webhook, and Jenkins credentials, remove unused SCM/wiki secrets, restrict Jenkins URL handling to the configured Jenkins host, and use least-privilege environment-managed secrets before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (3)

Tainted flow: 'qurl' from requests.get (line 471, network input) → requests.get (network output)

Medium
Category
Data Flow
Content
while time.time() - started < timeout_seconds:
        if build_api is None:
            qurl = queue_url.rstrip("/") + "/api/json"
            resp = requests.get(qurl, auth=(user, api_token), timeout=15)
            resp.raise_for_status()
            qdata = resp.json()
            executable = qdata.get("executable")
Confidence
94% confidence
Finding
resp = requests.get(qurl, auth=(user, api_token), timeout=15)

Description-Behavior Mismatch

Medium
Confidence
99% confidence
Finding
The configuration embeds capabilities and secrets for GitHub, Feishu app/wiki access, Jenkins, and deployment notification in a single skill whose stated purpose is only Jenkins package/deploy plus post-success notification. This expands the skill’s effective authority well beyond its declared scope and creates a dangerous concentration of credentials: if the skill or its scripts are misused, an attacker could access source control, internal docs, messaging, and CI/CD systems from one config.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
Repository/org metadata, branch templates, PR base options, and auto-merge branch settings indicate embedded source-control and PR workflow capability that is not justified by the described deploy-notify role. In a CI/CD skill, unnecessary SCM workflow authority is especially risky because it can be chained with build/deploy access to modify code, create PRs, or steer releases through privileged automation paths.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal