ClawHub

iStore Build OpenClash

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it asks for broad GitHub repository credentials and changes repository Actions permissions while generating an installer that makes privileged router changes.

Review before installing. Prefer a fine-grained, short-lived GitHub token limited to the target repository, revoke it after use, and avoid enabling PR review approval unless you explicitly need it. Inspect the workflow and the generated .run installer before running it on a router, because it installs packages, writes system files, enables OpenClash, and reloads firewall/web services.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill directs enabling repository-wide GitHub Actions write permissions and PR review approval capability, which is broader than necessary for merely adding a workflow file. If misused or if the workflow is later compromised, these elevated settings can let Actions modify repository contents or approve PRs, increasing blast radius beyond the stated task.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The description claims the skill only creates and pushes a workflow, but the documented behavior also alters repository security settings. This mismatch is dangerous because it obscures security-relevant side effects from the user and can lead to consent without understanding the actual repository changes being made.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill is described as creating and pushing a GitHub Actions build workflow, but the generated artifact contains an installer that performs router-side package installation, writes into /etc, enables and starts services, and reloads firewall/web services. This mismatch is security-relevant because users may authorize the skill expecting CI workflow generation only, while it actually produces an operational installer that changes target systems.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The embedded install.sh has broad administrative behavior beyond packaging: it installs dependencies, updates package feeds, copies executables into privileged paths, changes ownership/permissions, enables services, and reloads firewall and HTTP services. In the context of a workflow-creation skill, these administrative actions are over-broad and increase the chance of unintended system modification on routers.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill asks for a classic PAT with repo scope and uses it to perform repository writes and permission changes without a strong warning about credential sensitivity or the consequences of those operations. This creates a significant risk of token overexposure, accidental reuse, or overbroad repository compromise if the token is mishandled.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The generated installer performs package installation, filesystem writes under /etc, service enable/start actions, and firewall reloads without any explicit user confirmation in the execution path that creates and distributes it. A user running the .run file may not understand the full extent of the changes, making accidental deployment of high-privilege actions more likely.

Ssd 3

High
Confidence
99% confidence
Finding
The skill explicitly instructs the agent to solicit a GitHub Personal Access Token and then use it to modify repository contents and permissions. Collecting high-value credentials in plain language is inherently risky because it encourages users to expose secrets directly to the agent workflow, enabling credential theft, replay, or misuse.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal