ClawHub

gh-cli

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only GitHub CLI skill, but it exposes broad write, delete, credential, extension, and remote-access commands under a mostly read-oriented repository-analysis description.

Install only if you want an agent to have a broad GitHub CLI reference, not just a read-only repository-analysis helper. Use least-privilege tokens, prefer read-only scopes where possible, and require explicit review before any command that writes, deletes, merges, triggers workflows, changes secrets/configuration, installs extensions, opens Codespaces access, creates shell aliases, or prints authentication tokens.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (36)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The documented command set includes workflow execution, rerun, cancel, delete, and enable/disable operations that materially exceed the skill's declared purpose of remote repository analysis and file fetching. In an agent setting, exposing undocumented-in-spirit but documented-in-file state-changing GitHub Actions controls expands the blast radius from read-only analysis to remote CI/CD manipulation, artifact retrieval, and destructive operations.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This file exposes remote CI/CD control primitives despite the skill being described as an analysis tool, creating a privilege/scope mismatch that can mislead downstream agents into performing mutating operations on GitHub repositories. Such capabilities can be abused to trigger workflows with attacker-chosen inputs, rerun jobs, cancel evidence-generating runs, disable protections, or download artifacts that may contain sensitive build outputs.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The referenced command changes the local Git credential-helper configuration, which is a state-changing capability unrelated to the skill's stated read-oriented repository analysis purpose. In an agent context, documenting or exposing this command can lead to credential flow changes on the user's machine, increasing the risk of unintended authentication persistence or token use beyond repository inspection.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
A capability to configure Git credential helpers is unjustified by the declared use case of remote repository analysis, file fetching, comparison, and discovery. Including this expands the effective privilege and behavior of the skill beyond its advertised scope, which is dangerous because users may invoke it expecting safe read-only operations while it alters authentication behavior on the host.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The documented commands include multiple write-capable operations such as issue deletion, commenting, locking/unlocking, reopening/closing, label editing, project item editing, and alias definition. That materially exceeds the skill's stated read-oriented purpose of remote repository analysis and file fetching, creating capability overreach that could let an agent mutate GitHub state unexpectedly if it relies on these references.

Context-Inappropriate Capability

Critical
Confidence
99% confidence
Finding
The documentation explicitly describes alias definitions that are evaluated by the shell via sh when the alias starts with ! or uses --shell. In an agent context, exposing shell-evaluated alias creation enables arbitrary command execution beyond GitHub operations, which can lead to host compromise, credential theft, or unauthorized local/remote actions.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The documented command set is substantially broader than the skill's stated purpose of read-oriented remote repository analysis and discovery. It includes mutating and administrative capabilities across authentication, secrets, keys, caches, gists, orgs, and codespaces, which creates a dangerous mismatch between declared scope and actual accessible functionality and increases the chance an agent will perform privileged side effects unexpectedly.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill documents authentication flows and token handling capabilities that exceed a repository-analysis use case, including login, token use from stdin/environment, and credential storage behavior. In an agent context, this can enable credential acquisition, persistence, or misuse well beyond passive analysis, especially if a model is prompted to authenticate or inspect auth state.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Secret and variable management commands allow creation, deletion, and modification of repository, organization, environment, and user-level configuration data. These are privileged write operations unrelated to read-only analysis and could be abused to plant secrets, alter CI/CD behavior, or tamper with deployment and automation settings.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
SSH and GPG key administration capabilities permit changes to account-level trust material that are unrelated to repository analysis. If misused, they could add attacker-controlled keys, remove legitimate keys, or alter signing/remote-access posture for the GitHub account.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Codespaces features such as SSH access, file copy, port forwarding, Jupyter/VS Code opening, and remote file expansion expose remote execution and data-movement capabilities well beyond repository analysis. In particular, documented use of remote shell-style expansion and SSH integration increases the risk of command injection, unauthorized data access, and lateral movement in a live development environment.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The skill metadata frames this capability as read-oriented remote repository analysis and discovery, but the referenced documentation includes mutation operations such as merging pull requests. That mismatch can cause an orchestrating agent or user to grant trust, permissions, or invoke the skill under the false assumption that it is non-destructive, enabling unintended repository changes.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
This section documents project-management mutations like adding items and marking templates that are outside the stated analysis-focused purpose. Hidden or under-declared write capabilities are dangerous because they expand the effective attack surface and may let an agent alter project state when operators believe the skill is only observing data.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The documentation exposes editing, closing, locking, deleting, and other state-changing project/PR operations beyond the manifest’s declared scope. In security terms, this is a capability transparency failure: consumers may overtrust the skill, provision tokens too broadly, or allow autonomous use where destructive actions were not expected.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Agent-task creation is unrelated to the stated purpose of repository analysis and discovery, so it represents undeclared operational capability expansion. Even if not directly destructive, it can trigger unintended workflows, create persistent artifacts, or be abused for spam/task injection in repositories or organizations.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill metadata says it is for remote repository analysis, file fetching, comparison, and discovery, but this reference file exposes release deletion functionality that can destroy repository artifacts. That mismatch increases the chance an agent or user will invoke destructive operations under a supposedly read-oriented skill, creating real integrity and availability risk for release assets and downstream consumers.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
Release asset upload is a write capability that exceeds the stated analysis/fetch/discovery scope and could be abused to publish malicious or unauthorized binaries under a legitimate repository release. In a skill expected to inspect repositories without cloning, hidden publishing capability materially expands attack surface and privilege misuse potential.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
Asset deletion is destructive and inconsistent with the skill's declared read/analysis role, enabling removal of release artifacts that users may depend on for distribution or verification. Because the skill appears positioned for passive repository inspection, inclusion of destructive release operations makes accidental or induced misuse more likely.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
Release editing allows changing published metadata and draft state, which is a mutating administrative function not aligned with the stated repository-analysis purpose. This can enable tampering with release notes, publishing drafts unintentionally, or altering user trust signals through an apparently analytical tool.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file documents a broad set of state-changing GitHub operations—such as create, edit, delete, fork, archive, deploy-key, release, issue, project, and codespace actions—despite the skill being described as focused on remote repository analysis, file fetching, comparison, and discovery. This mismatch materially expands the skill's effective capability surface and creates a dangerous opportunity for an agent to perform unintended write or destructive actions against authenticated GitHub resources.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The inclusion of `gh api` gives authenticated arbitrary API access to GitHub, enabling both broad data access and arbitrary remote state changes well beyond a repository-analysis use case. In an agent context, this is especially risky because a single generic primitive can bypass narrower safety assumptions and reach endpoints for issues, secrets-adjacent metadata, org settings, or other mutable resources.

Context-Inappropriate Capability

Critical
Confidence
99% confidence
Finding
`gh extension install` and `gh extension exec` introduce the ability to fetch and run external executable code, which is unrelated to the stated repository-analysis purpose and effectively creates arbitrary code execution capability. In an authenticated CLI environment, this can lead to execution of untrusted binaries/scripts with access to local files, network, and GitHub credentials.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
`gh repo clone` conflicts with the manifest's claim that the skill is for analyzing repositories without cloning and enables local materialization of arbitrary repositories. This increases exposure to malicious repository content, local filesystem interaction, and downstream execution pathways that are unnecessary for remote-only analysis.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
`gh pr checkout` performs local git operations that fetch and switch branches, materializing pull request content on disk and modifying local repository state. For a remote-analysis skill, this is unnecessary and risky because PRs may contain attacker-controlled content and checkout can influence subsequent tools or user actions in the workspace.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Secrets and variables management capabilities are unrelated to repository analysis and expose sensitive configuration surfaces that can affect GitHub Actions, Dependabot, or Codespaces behavior. Even read access to variables can reveal operational details, while write access to secrets/variables can enable persistence, data exfiltration, or workflow compromise.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal