ClawHub

GitHub Code Analyzer

Security checks across malware telemetry and agentic risk

Overview

This skill has a coherent code-analysis purpose, but it executes a user-supplied GitHub URL through a shell and can send sampled code to an external AI service without enough safety boundaries.

Review carefully before installing. Only test it in a disposable environment with trusted public repositories, and assume repository structure and source-code excerpts may be sent to the external Ark/DeepSeek-compatible API. Do not use it on private or sensitive code until the shell execution is replaced with safe argument-based process spawning, URL validation is tightened, symlinks are contained, secrets are redacted, and the external provider/data-sharing behavior is clearly disclosed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The skill metadata and documentation claim GitHub analysis via DeepSeek, but the described behavior includes undisclosed transmission of repository content to a different external service, use of a hardcoded API credential, and support for an undeclared model. This mismatch prevents informed user consent and can conceal sensitive code exfiltration or unauthorized third-party processing, which is especially risky for source code analysis workflows.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill builds a shell command with untrusted user input (`repoUrl`) and passes it to `child_process.exec`, which invokes a shell. This creates a command injection risk in addition to cloning arbitrary repositories, giving an attacker a path to execute commands on the host running the skill.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill reads repository files and transmits project structure and source code excerpts to a third-party AI API, which exceeds a local 'code quality analysis' expectation and can leak proprietary or sensitive code. The risk is amplified because there is no consent flow, no repository sensitivity check, and no minimization beyond simple truncation.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README states that repositories are cloned and code is sent to an AI API but does not warn users about local filesystem writes or external data transmission. Even for public repositories, users may not expect code samples, structure, or derived metadata to be sent to third-party services, creating privacy, compliance, and operational risks.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill clones a user-supplied repository without clearly warning the user that it will perform a network fetch and process untrusted remote content. In this implementation, that behavior is more dangerous than usual because the clone is performed via shell execution using unsanitized input, increasing the chance of abuse.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill sends repository structure and code samples to an external HTTP API without informing the user, which can expose confidential source code, internal architecture, and embedded secrets. Because this is a code-analysis skill, users may reasonably expect local inspection unless exfiltration is clearly disclosed.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal