ClawHub

God Mode Skill

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its stated purpose, but it can access private repository data, send analysis to LLM providers, cache sensitive project content, and directly modify agent instruction files.

Review before installing. Use only with repositories you are authorized to analyze, prefer least-privilege GitHub/Azure credentials, avoid the curl-to-bash install path unless you inspect and pin the script, and do not accept AGENTS.md updates until you review the exact diff. Treat LLM analysis as potentially sending or exposing private agent instructions and commit context, and purge ~/.god-mode if you no longer want the cached data retained.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (44)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill clearly instructs the agent to run shell commands and access network-backed services via GitHub/Azure/LLM providers, yet no explicit permission model or scope restrictions are declared. That creates a confused-deputy risk where a user can trigger repo access, syncs, remote API calls, and file modifications without a transparent least-privilege boundary.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The stated description frames the skill as repo oversight and commit-based learning, but the body grants much broader operational behavior: collecting PRs/issues, maintaining logs, modifying agent files, and potentially committing/pushing or updating files through APIs. This mismatch undermines informed consent and can cause users or supervising systems to approve a skill with materially broader read/write capabilities than advertised.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The handover claims 'We never store tokens' while explicitly allowing authentication via environment variables such as GITHUB_TOKEN and PATs. That is a security-relevant documentation mismatch: users may believe the skill never handles raw credentials, but the proposed design can consume highly sensitive secrets from the process environment, which affects threat modeling, auditability, and accidental exposure risk through logs, subprocess inheritance, or shell history during setup.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The `analyze` workflow is not read-only: after receiving LLM output it interactively offers to apply recommendations directly to the repository's agent file. This expands the trust boundary from analysis into code/content modification based on untrusted model output, creating a prompt-injection and integrity risk if the model suggests unsafe or destructive changes.

Context-Inappropriate Capability

Low
Confidence
88% confidence
Finding
When no LLM is configured, the command prints the fully assembled prompt, which includes repository agent instructions and sampled commit messages. This can disclose sensitive internal guidance or commit content to terminals, logs, CI output, or shell history; the API key variable names themselves are not sensitive, but the prompt disclosure is.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The script goes beyond passive analysis and can directly modify AGENTS.md locally or via the GitHub API, then optionally commit and push those changes. In a repo-analysis skill, this materially increases risk because AI-generated recommendations are turned into write actions against source-controlled files, which can propagate incorrect, unsafe, or malicious instructions into developer workflows.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The design describes syncing commits, PRs, and issues from repositories but does not warn that repository metadata and potentially sensitive development patterns will be fetched, processed, and cached locally. In a repo-intelligence skill, this matters because private repo names, issue titles, branch activity, and work cadence can reveal confidential business information even if no source code is stored.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The env-var credential fallback is documented without a clear warning that the skill will access sensitive credentials from the environment. This is risky because environment-based secrets are easy to expose accidentally via debugging output, inherited subprocess environments, crash dumps, or overly broad shell/session configuration.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The architecture specifies local SQLite caching of commits, pull requests, issues, agent file snapshots, and analyses but does not clearly warn about local data retention. For this skill, cached agent instructions and repo activity metadata may contain proprietary workflows, internal issue titles, usernames, and sensitive operational context that remain on disk after use.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The document instructs users to execute a remotely fetched script directly with `bash`, which removes any opportunity to inspect the code before execution and creates a one-step remote code execution path. If the GitHub account, repository, branch, or network path were compromised, users could run attacker-controlled commands on their machines.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The verification section repeats the same unsafe remote installer pattern, normalizing direct execution of downloaded code as a routine install method. Repetition increases the chance users will trust and run the command without review, amplifying the risk of remote code execution if the hosted script changes maliciously.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The README instructs users to fetch a remote script and immediately execute it with `bash`, which creates a classic supply-chain risk. If the GitHub account, repository, branch, or network path is compromised, users can run attacker-controlled code with their local permissions without reviewing it first.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The session notes recommend installing the skill via `curl ... | bash`, which executes remote code immediately without inspection, pinning, or integrity verification. Even though this is documentation rather than executable skill logic, users may copy-paste it directly, so a compromised GitHub account, repository, branch, or network path could lead to arbitrary code execution on the user's machine.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The skill encourages activation from ordinary conversational phrases about projects, which increases the chance that it will run commands during casual discussion rather than after explicit invocation. In a skill with shell and network capability, ambiguous triggering can lead to unintended data access, syncing, or workspace changes.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The phrase 'Just tell me what you want!' removes scope boundaries and implies the assistant may infer and perform operational actions broadly. Given the documented ability to run setup, sync repositories, analyze private files, and apply changes, this materially raises the risk of overbroad or accidental invocation.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The document recommends a pipe-to-shell installation pattern that downloads remote content and executes it immediately, without any integrity verification or warning about execution risk. This is dangerous because compromise of the GitHub account, repository, branch, network path, or install script would result in arbitrary code execution on the user's machine.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
This section promotes sync, review, cron, and automation features that collect and aggregate repository activity from GitHub and Azure DevOps, but it does not warn users that using the skill involves external API access, metadata collection, and storage of project activity in a local database. In a skill centered on multi-repo tracking and agent analysis, omission of those disclosures can mislead users about data flows and consent boundaries, increasing privacy and compliance risk even if the functionality is legitimate.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The testing guide instructs users to delete application state under the home directory with no warning about data loss or scoping precautions. In an agent-driven environment, destructive commands in documentation can be copied or executed automatically, causing unintended local data removal and making the skill more dangerous than ordinary prose.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The standalone-mode test tells users to export a real Anthropic API key but provides no privacy or handling guidance. This encourages use of production credentials in ad hoc testing, increasing the risk of credential leakage through shell history, logs, screenshots, shared terminals, or agent output.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The agent-analysis workflow describes fetching AGENTS.md and generating a comprehensive prompt from repository contents without warning that this material may be sent to an LLM or external service. Repository files, commit history, issue text, and other metadata may contain proprietary or sensitive information, so omission of disclosure and consent guidance is risky.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script sends agent file contents and recent commit messages to the configured LLM provider without an explicit consent step or prominent warning. Because these inputs may contain proprietary instructions, internal URLs, secrets accidentally committed to history, or sensitive operational context, this creates a data exfiltration/privacy risk to third-party services.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The function overwrites the target file with shell redirection immediately once called, without a final explicit confirmation or a diff preview of the exact file path and changes. Because the content originates from recommendations and the path is externally supplied, this can cause silent destructive edits to local repository files and may persist unsafe instructions into agent configuration.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This path updates repository content through the GitHub API without an explicit confirmation at the point of remote modification, meaning AI-generated content can directly alter tracked files in a remote repo. In this skill's context, that is more dangerous because AGENTS.md influences agent behavior, so a bad recommendation can be propagated into shared automation and trusted repository state.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The function writes the full prompt to a local file in a predictable location without any consent, minimization, retention control, or permission hardening. Prompts in this skill may contain repository contents, analysis context, secrets, or proprietary code, so local persistence creates an unnecessary exfiltration and exposure surface beyond transient processing.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This code sends arbitrary prompt contents to OpenAI over the network without any user-facing disclosure, approval gate, or sensitivity checks. In the context of a repo-analysis skill, prompts are likely to include source code, internal metadata, and possibly secrets, so silent third-party transmission materially increases confidentiality and compliance risk.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal