ClawHub

Github Installer Agent

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its GitHub-cloning purpose, but some safety scripts can alter or delete local files while overstating their security checks.

Install only if you want a helper for downloading and inspecting GitHub repositories. Use a fresh temporary target directory, do not confirm overwrite prompts for important paths, treat cloned repository text as untrusted, and manually review any pip/npm commands or alternate package indexes before using them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The skill claims OWASP controls such as authentication, session management, access control, and cryptographic practices, but the documented behavior only covers local validation, cloning, and reporting. These unsupported security claims can mislead users into overtrusting the skill's protections and making riskier decisions based on false assurances.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The script advertises itself as a 'safe clone' tool but will recursively delete any existing target directory with `rm -rf` after a simple confirmation prompt. If a user supplies or derives an unexpected path, this can destroy unrelated local data, which is especially risky in automation, privileged shells, or when operators trust the tool's 'safe' framing.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The script presents a 'Security Compliance Check' but the helper only prints success messages and performs no validation. This can create false assurance that security controls exist and pass, causing unsafe skills to be treated as compliant when they are not.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The summary uses hard-coded totals and pass/fail counts instead of computing results from earlier checks. This makes the validator misleading and can hide real failures, undermining trust in the tool's security conclusions.

Natural-Language Policy Violations

Low
Confidence
90% confidence
Finding
The README recommends a specific third-party PyPI mirror (`https://pypi.tuna.tsinghua.edu.cn/simple`) as a general best practice without user opt-in, trust discussion, or regional justification. Even if the mirror is legitimate, normalizing an alternate package index can increase supply-chain risk, confuse users about provenance, and encourage installation from infrastructure outside their expected trust boundary.

Natural-Language Policy Violations

Medium
Confidence
87% confidence
Finding
Recommending a specific third-party package mirror without user opt-in or contextual justification can redirect dependency installation through an alternate trust boundary. This increases supply-chain risk because users may install packages from infrastructure they did not intend to trust, and the recommendation appears in a security-focused skill where users may follow it uncritically.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script modifies file permissions with chmod +x during what is presented as a validation routine, without explicit user consent. Unexpected state-changing behavior in a validator can violate operator expectations, alter repository contents, and be abused in automation pipelines where validation is assumed read-only.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal