ClawHub

Open Source Contributor

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed GitHub automation tool, but it needs review because it can autonomously use your GitHub token to fork repos, push branches, and open public PRs while handling credentials unsafely.

Install only if you intentionally want an agent to act on GitHub under your identity. Use a dedicated low-privilege public_repo token, avoid cron and auto-submit until you have reviewed dry runs, inspect or replace the missing token_resolver dependency, and fix token-in-command and shell=True usage before relying on it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (10)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def run_cmd(cmd, cwd=None, timeout=60):
    try:
        r = subprocess.run(cmd, shell=True, cwd=cwd, capture_output=True, text=True, timeout=timeout)
        return r.returncode, r.stdout, r.stderr
    except Exception as e:
        return -1, "", str(e)
Confidence
98% confidence
Finding
r = subprocess.run(cmd, shell=True, cwd=cwd, capture_output=True, text=True, timeout=timeout)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill describes shell, file read/write, environment access, and GitHub token handling, but does not declare permissions explicitly. That mismatch weakens policy enforcement and reviewability, making it easier for the skill to be invoked with capabilities broader than operators expect. In a skill that performs git operations and uses API tokens, undeclared capabilities materially increase operational risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The README prominently advertises an autonomous agent that scouts repositories, writes fixes, and submits PRs under the user's GitHub identity, but the main overview and usage flow do not foreground that this will perform unattended network actions and create public account activity. That creates a real informed-consent and misuse risk: users may install or schedule it without fully appreciating that it will act externally on their behalf, potentially causing reputation damage, spammy PRs, or unintended interactions with third-party repositories.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The configuration example includes a GitHub token in config and environment setup without an adjacent warning that the token is sensitive, must not be committed, logged, or stored insecurely. In a tool that performs automated GitHub actions, mishandling this credential could let an attacker or other local users abuse the token to create PRs, modify repositories within scope, or impersonate the user on GitHub.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger list includes broad common terms like "github," "issue," "PR," and "open source," which raises the chance of accidental or context-inappropriate activation. Unintended invocation is especially risky here because the skill can fork repositories, modify files, push branches, and create pull requests using a stored token.

Missing User Warnings

High
Confidence
97% confidence
Finding
The GitHub token is embedded directly into a shell command used to invoke `curl`, which exposes a sensitive secret to shell parsing, process listings, logs, and command-history-like telemetry. Because this skill is designed for autonomous networked contribution, token misuse would permit unauthorized API actions such as forking repos, creating PRs, or potentially broader account compromise depending on token scope.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script stores a GitHub personal access token in a JSON config file under the user’s home directory without clearly warning the user that the credential will be written to disk. In the context of an autonomous GitHub contribution agent, persisted tokens materially increase the risk of credential theft via local compromise, backups, misconfigured file permissions, or accidental disclosure.

Ssd 3

Medium
Confidence
94% confidence
Finding
The skill instructs the main agent to paste full file contents, issue descriptions, and contributing guidance inline to subagents. This creates a direct data-minimization failure: secrets, proprietary code, personal data, or security-sensitive repository content could be unnecessarily disclosed to additional models or services, especially if subagents are remote or differently scoped.

Ssd 3

Medium
Confidence
88% confidence
Finding
Broadly defined activity and audit-trail logging can capture repository contents, issue text, paths, branch names, prompts, model outputs, and possibly token-adjacent operational details. Without retention limits, redaction rules, and access controls, these logs become a secondary store of sensitive data and increase exposure in the event of compromise or misconfiguration.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
def get_max_repos_for_level(level, stats):
    """Determine max repos based on complexity level and approval rate"""
    limits = {
        1: 3,  # Typo fixes - no approval needed
        2: 3 if stats['rate'] > 0.5 else 0,
        3: 2 if stats['rate'] > 0.7 else 0,
        4: 1 if stats['rate'] > 0.9 else 0
Confidence
89% confidence
Finding
no approval

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal