ClawHub

Codex Native System

Security checks across malware telemetry and agentic risk

Overview

This is a real code-assistant skill, but it can broadly scan local projects and upload code, file previews, and Git diffs to an external API without strong scoping or clear consent controls.

Install only if you are comfortable with repository content being sent to the configured OpenAI-compatible API. Use it on non-sensitive projects first, avoid running project analysis or Git integration on private code or diffs containing secrets, and prefer adding explicit review, redaction, path limits, and confirmation before any repository-wide scan or diff upload.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (24)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if action_type == "commit_message":
                # Get git diff
                import subprocess
                result = subprocess.run(
                    ['git', 'diff', '--cached'],
                    cwd=repo_path,
                    capture_output=True,
Confidence
84% confidence
Finding
result = subprocess.run( ['git', 'diff', '--cached'], cwd=repo_path, capture_output=True, text=True

subprocess module call

Medium
Category
Dangerous Code Execution
Content
elif action_type == "diff_analysis":
                import subprocess
                result = subprocess.run(
                    ['git', 'diff', 'HEAD~1'],
                    cwd=repo_path,
                    capture_output=True,
Confidence
84% confidence
Finding
result = subprocess.run( ['git', 'diff', 'HEAD~1'], cwd=repo_path, capture_output=True, text=True

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if action_type == "commit_message":
                # Get git diff
                import subprocess
                result = subprocess.run(
                    ['git', 'diff', '--cached'],
                    cwd=repo_path,
                    capture_output=True,
Confidence
90% confidence
Finding
result = subprocess.run( ['git', 'diff', '--cached'], cwd=repo_path, capture_output=True, text=True

subprocess module call

Medium
Category
Dangerous Code Execution
Content
elif action_type == "diff_analysis":
                import subprocess
                result = subprocess.run(
                    ['git', 'diff', 'HEAD~1'],
                    cwd=repo_path,
                    capture_output=True,
Confidence
90% confidence
Finding
result = subprocess.run( ['git', 'diff', 'HEAD~1'], cwd=repo_path, capture_output=True, text=True

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill claims code-assistance features, but the git integration adds local process execution and repository inspection capabilities that exceed a narrowly scoped remote code-generation helper. That increased capability is dangerous because it enables local environment interaction and access to potentially sensitive repo state that users may not expect from this skill.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The Git integration feature introduces local subprocess execution capability that is more powerful than pure remote code assistance. In agent settings, such capability expansion increases the blast radius because a prompt-triggered feature can inspect local repositories and prepare sensitive data for onward transmission.

Vague Triggers

High
Confidence
97% confidence
Finding
The description says the skill should trigger for essentially any code-related task, making activation overly broad and ambiguous. That increases the chance the skill will run in contexts where users did not intend networked code processing, project scanning, or file-modifying behavior, which can expose sensitive code or alter repositories unexpectedly.

Vague Triggers

High
Confidence
96% confidence
Finding
The trigger list includes generic phrases like '写代码', 'review', 'test', and 'document' without limiting scope or mode of operation. Such broad natural-language triggers can cause accidental invocation on ordinary requests and silently escalate to scanning repositories, generating commits, or sending content to external services.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README describes 'one-click' automatic fixes and full-project recursive scanning, but it does not clearly warn users that local files may be modified or large amounts of source code may be ingested. In an agent setting, this can lead to unintended destructive edits, broad access to proprietary code, and unexpected external processing of project contents.

Vague Triggers

High
Confidence
97% confidence
Finding
The skill description says it should trigger for essentially any code-related operation and claims no other code skills are needed, which creates an over-broad activation surface. In an agent environment, this can cause the skill to intercept unrelated or sensitive coding tasks, increasing the chance of unnecessary data exposure, unintended external API use, and bypass of more specialized or safer workflows.

Vague Triggers

High
Confidence
95% confidence
Finding
The trigger list contains broad phrases such as 'review', 'test', 'document', and generic coding verbs that can overlap with ordinary requests. This makes accidental invocation likely, and because the skill advertises project scanning, logging, Git integration, and external API-backed processing, unintended activation could expose source code, secrets, or metadata beyond what the user expected.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The markdown describes recursive full-project scanning and complete API call logging, but does not clearly warn that source code, secrets, repository metadata, and prompts may be collected, retained, or transmitted. In this context, the feature set makes the omission more dangerous because users may invoke the skill without understanding the privacy and confidentiality consequences of broad scanning and logging.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Project analysis collects directory structure and code previews from the local filesystem and submits them to a remote API without explicit disclosure or consent. In a code-assistant skill, this is especially dangerous because repositories often contain proprietary source, credentials, internal paths, and embedded secrets that can be leaked off-host.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The security-audit feature sends arbitrary supplied code to an external API without warning that the content leaves the local environment. Since security reviews often involve sensitive code, secrets, or proprietary logic, undisclosed transmission can itself become a confidentiality issue.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Git integration reads staged or historical diffs and uploads them to the model without explicit disclosure. Diffs frequently contain newly added secrets, vulnerability fixes, customer data, or unreleased code, so silent transmission substantially raises confidentiality risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Project analysis scans local directories, reads code previews, and sends that material to a remote API without any explicit user-facing disclosure or minimization. In this skill context, that is particularly dangerous because project files commonly contain proprietary code, secrets, internal paths, and personal data.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The Git integration feature sends diff contents from the local repository to the remote model without a clear warning. Diffs often include newly added secrets, unpublished code, security fixes, or confidential business logic, making silent transmission a significant privacy and IP-exposure risk.

Ssd 3

Medium
Confidence
94% confidence
Finding
The skill states that all API calls are logged in detail, which can capture prompts, source code, secrets, tokens, credentials, and other sensitive user-provided material. Retaining comprehensive logs without minimization or redaction significantly raises the impact of compromise, insider misuse, or accidental exposure.

Ssd 3

Medium
Confidence
93% confidence
Finding
The example configuration enables logging by default while giving no limitation on collection of prompts, code, credentials, or findings. Default-on verbose logging normalizes unsafe deployments and can silently accumulate sensitive development data in logs.

Ssd 3

Medium
Confidence
95% confidence
Finding
The project-analysis prompt is designed to include broad project structure and code previews in the external model request, which semantically encourages leakage of user code and secrets. Because the feature is framed as analysis rather than exfiltration, users may underestimate how much sensitive material is being transmitted.

Ssd 3

Medium
Confidence
95% confidence
Finding
These prompts embed raw git diffs into plain-language requests to the remote model, which can expose code changes, credentials, and internal implementation details. The skill context makes this more dangerous because commit and diff workflows commonly touch exactly the most recent and sensitive modifications.

Ssd 3

High
Confidence
97% confidence
Finding
The project analysis prompt includes broad project structure and file previews in plain text, which can leak sensitive repository contents to the remote model. Because this is framed as routine analysis, users may not realize the breadth of disclosure, increasing the chance of accidental exfiltration.

Ssd 3

High
Confidence
97% confidence
Finding
Commit-message generation and diff analysis transmit repository changes under a benign summarization workflow, which can disguise sensitive data exfiltration. In practice, diffs frequently contain credentials, proprietary code, internal URLs, or vulnerability fixes that should not be uploaded by default.

Ssd 3

Medium
Confidence
80% confidence
Finding
The context manager retains and compresses prior content, including user/system inputs and metadata, then re-injects summaries into future prompts. If prior interactions contain secrets, personal data, or sensitive code, this persistence increases the risk of unintended retention and retransmission to the external model.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal