ClawHub

Gh Address Comments

Security checks across malware telemetry and agentic risk

Overview

The skill appears intended for GitHub PR maintenance, but it asks for broad GitHub CLI scopes and elevated command access beyond what is clearly necessary.

Review this skill before installing if you use GitHub credentials with access to private or sensitive repositories. Prefer using the minimum gh scopes needed for the target repository, avoid granting workflow scope unless you explicitly need it, and run the helper only on PRs whose comments you are comfortable exposing to the local agent context.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill explicitly instructs use of shell-based `gh` commands with elevated network access and escalated sandbox permissions, but it does not declare any permissions. This creates a trust and review gap: operators may invoke networked shell actions and authentication flows without clear permission disclosure, increasing the chance of unintended data access or execution beyond the stated security model.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The skill claims to help address PR comments, but the described behavior primarily fetches and enumerates PR comments and review data, including use of direct GitHub API access and structured export, without clearly implementing the 'address' phase. This mismatch is dangerous because it can cause users to authorize broader access or disclose repository review metadata under misleading expectations about the skill's purpose.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal