ClawHub

FlowForge — Autonomous AI Coding Pipeline (Spec → Plan → Code → QA)

Security checks across malware telemetry and agentic risk

Overview

FlowForge appears to be a real coding automation skill, but it gives Claude Code broad repository-changing authority and uses locally stored Claude credentials with limited safeguards.

Install only if you are comfortable with an autonomous tool sending project context to Claude Code, editing your repository, running planned verification commands, and rotating locally saved Claude credentials. Use it in a disposable clone or container on a clean branch, protect or avoid saved credential JSON files, inspect forge.env before running, and review generated plans and diffs before trusting results.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README explicitly instructs users to store multiple Claude account credentials locally for automatic rotation but does not warn that these files are highly sensitive bearer credentials. In the context of an autonomous coding pipeline that runs shell scripts and agent-driven tasks, normalizing this storage pattern increases the risk of credential theft, accidental disclosure, or misuse across accounts.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger language is extremely broad: phrases like 'starting any new feature, refactor, or bug fix' and 'plan and build' could cause this skill to activate for routine development requests. Because the skill then routes work into shell scripts and external Claude Code calls, accidental invocation can expose repository content and task details to a more powerful automated pipeline than the user intended.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill instructs the agent to write task details and clarification answers into persistent local files under ~/.forge/<timestamp>/, but it does not clearly warn users that potentially sensitive requirements, repository paths, and implementation notes will be stored on disk. This increases the risk of unintended local data retention, exposure to other local processes/users, and persistence of confidential project information beyond the session.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill omits a clear warning that it will make multiple external Claude Code calls and supports credential-backed account rotation using locally stored account files. This is more dangerous in context because the skill explicitly centralizes 'ALL heavy work' through the external service, potentially sending large volumes of proprietary code or task data off-host, while also relying on stored credentials that could be mishandled or over-permissioned.

Missing User Warnings

Low
Confidence
95% confidence
Finding
The prompt instructs the agent to write `project-context.md` to the workspace as a mandatory post-QA step, but it provides no warning, consent check, or scope limitation around this persistent modification. This creates an unnecessary side effect in what appears to be an analysis/review skill, and could surprise users, overwrite existing context, or leave behind unintended persistent state for later runs.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script sources a workspace-controlled forge.env file directly into the current shell, which executes arbitrary shell code, not just variable assignments. Because the workspace path is user-supplied and treated as trusted, an attacker can place malicious commands in forge.env to achieve immediate code execution and potentially steal credentials or alter the pipeline.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Invoking Claude with --dangerously-skip-permissions disables normal safety checks while feeding it prompts built from workspace and repository content, then allowing it to write outputs into that same workspace. In this pipeline context, untrusted task/repo content can influence model behavior and lead to unsafe file modifications, data exposure, or execution of risky actions without user confirmation.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal