ClawHub

GitHub Semantic Search

Security checks across malware telemetry and agentic risk

Overview

This GitHub assistant mostly matches its stated purpose, but it has review-worthy risks around authenticated GitHub data, unsafe command construction, and a hard-coded Feishu alert recipient.

Install only after reviewing the scripts. Use it only with GitHub accounts and repositories you are comfortable indexing locally, replace or remove the hard-coded Feishu recipient before relying on alerts, and treat init/rm as destructive local index operations. The subprocess calls should be hardened before using this in shared or untrusted workflows.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def gh(args: str) -> dict:
    result = subprocess.run(
        f'"{GH_EXE}" {args}',
        capture_output=True, encoding="utf-8", errors="replace"
    )
Confidence
97% confidence
Finding
result = subprocess.run( f'"{GH_EXE}" {args}', capture_output=True, encoding="utf-8", errors="replace" )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def gh_list(args: str) -> list:
    result = subprocess.run(
        f'"{GH_EXE}" {args}',
        capture_output=True, encoding="utf-8", errors="replace"
    )
Confidence
97% confidence
Finding
result = subprocess.run( f'"{GH_EXE}" {args}', capture_output=True, encoding="utf-8", errors="replace" )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def gh(args: str) -> dict:
    result = subprocess.run(
        f'"{GH_EXE}" {args}',
        capture_output=True, text=True, shell=False
    )
Confidence
98% confidence
Finding
result = subprocess.run( f'"{GH_EXE}" {args}', capture_output=True, text=True, shell=False )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def gh_list(args: str) -> list:
    result = subprocess.run(
        f'"{GH_EXE}" {args}',
        capture_output=True, text=True, shell=False
    )
Confidence
98% confidence
Finding
result = subprocess.run( f'"{GH_EXE}" {args}', capture_output=True, text=True, shell=False )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def gh(args: str) -> dict:
    result = subprocess.run(
        f'"{GH_EXE}" {args}',
        capture_output=True, encoding="utf-8", errors="replace"
    )
Confidence
95% confidence
Finding
result = subprocess.run( f'"{GH_EXE}" {args}', capture_output=True, encoding="utf-8", errors="replace" )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def get_ci_status(repo: str, limit: int = 5) -> str:
    try:
        result = subprocess.run(
            f'"{GH_EXE}" run list --repo {repo} --limit {limit} --json name,status,conclusion,createdAt,headBranch,url',
            capture_output=True, encoding="utf-8", errors="replace"
        )
Confidence
90% confidence
Finding
result = subprocess.run( f'"{GH_EXE}" run list --repo {repo} --limit {limit} --json name,status,conclusion,createdAt,headBranch,url', capture_output=True, encoding="utf

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill advertises and instructs use of capabilities that imply shell execution, network access, environment access, and local file reads/writes, but it declares no permissions or safety boundaries. In an agent setting, this can cause users or orchestrators to invoke the skill without understanding that it can access authenticated GitHub state, local Qdrant data, and external/local services, increasing the chance of unintended data exposure or over-privileged execution.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill description emphasizes semantic indexing and monitoring but does not warn that repository content, search queries, and monitoring data may be sent to GitHub via the authenticated gh CLI and to local/external services such as Ollama and Qdrant. In practice, users may submit private repository names, issue text, or sensitive queries without informed consent, creating a confidentiality and privacy risk.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The script forwards issue, PR, and CI metadata—including titles, labels, URLs, workflow names, branches, and keyword matches—to an external Feishu recipient without granular consent, redaction, or runtime confirmation. In a GitHub-monitoring skill, this increases the chance of leaking sensitive repository activity or security-related discussions to third-party messaging infrastructure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal