ClawHub

miaoda-app-chat-sync

Security checks across malware telemetry and agentic risk

Overview

The skill has a legitimate repo-to-JSON purpose, but it handles credentials and downstream file-overwrite instructions in ways that need human review before use.

Install only if you trust the publisher and will use it on trusted repositories. Use a read-only, repo-scoped GitHub token, avoid crafted or untrusted repo URLs, review the generated JSON before sending it to another agent, and require a diff or backup before allowing any downstream bulk overwrite.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (19)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
cwd=target_dir, capture_output=True, timeout=10)
            
            # Step 3: Add remote
            subprocess.run(['git', 'remote', 'add', 'origin', auth_url], 
                          cwd=target_dir, capture_output=True, timeout=30)
            
            # Step 4: Fetch
Confidence
82% confidence
Finding
subprocess.run(['git', 'remote', 'add', 'origin', auth_url], cwd=target_dir, capture_output=True, timeout=30)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The documented behavior goes beyond passive conversion and frames the output as operational instructions for another agent to apply code changes. This creates a semantic gap where users may invoke a 'JSON generator' but actually trigger a pipeline that prepares authoritative file-update commands, increasing the chance of unsafe or unintended execution.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill explicitly instructs downstream agents to create or overwrite files, avoid confirmation, and not skip any file. Those directives turn untrusted repository content into imperative actions, which is dangerous because a malicious repository can cause broad filesystem changes or destructive overwrites through a cooperating agent.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The document correctly warns that repository content is untrusted, then later packages that same content into instructions designed to be strictly executed by other agents. This contradiction undermines the warning and creates a classic prompt/instruction injection path where attacker-controlled repo text is wrapped in a high-authority format.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The function named and documented as an info prompt returns a prompt that instructs the agent to create or overwrite files. This creates a dangerous semantic mismatch: callers expecting a read-only or informational operation may instead trigger destructive writes without confirmation, increasing the chance of unintended repository modification.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The INFO configuration is labeled as informational but contains the same write/overwrite instructions as SYNC, including creating missing files and overwriting existing ones. In an agent skill that converts repository content into instructions for AI agents, this misleading configuration materially increases the risk of unauthorized or accidental destructive edits.

Description-Behavior Mismatch

Low
Confidence
90% confidence
Finding
The method returns full contents of changed files from arbitrary repositories, which can expose secrets, proprietary code, or sensitive data to downstream agents beyond the minimum needed for JSON instruction generation. In an agent skill context, broad exfiltration of repository content is more dangerous because the output is explicitly structured for onward consumption and automation.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The generator serializes full repository file contents into the output JSON and presents it for forwarding to an AI agent. While this appears consistent with the tool's implementation, it materially expands data exposure risk because source files may contain secrets, proprietary code, or embedded credentials, and the skill description does not clearly warn that complete file bodies will be emitted.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
This output function includes detailed commit metadata, including repository, branch, full commit details, and identity fields, for downstream AI analysis. That is a genuine data-exposure issue because author/committer information and commit messages can contain sensitive personal or internal organizational data not necessary for many repository-to-instruction workflows.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The code explicitly formats and exposes author and committer names, email addresses, and timestamps. This is dangerous because it discloses personally identifying information to terminal output or downstream consumers, increasing privacy, social-engineering, and data-handling risks without strong justification in the stated purpose.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation explicitly recommends configurations that instruct an agent to overwrite files, create missing files, and execute immediately without confirmation. In a skill whose purpose is to generate instructions for AI agents to modify repositories, these prompts can normalize unsafe automation and increase the chance of destructive or unintended file changes without user awareness.

Missing User Warnings

Low
Confidence
91% confidence
Finding
The README instructs users to export a GitHub token directly in the shell, which can expose secrets via shell history, terminal logging, shoulder surfing, or inherited environment inspection on shared systems. While this is common documentation practice, it still normalizes an avoidable secret-handling risk for a tool that explicitly works with repository credentials.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The SYNC prompt explicitly instructs the agent to overwrite files completely, create missing files, skip no files, and not ask for confirmation. In a repository-manipulation skill, these instructions remove common safety barriers and can enable large-scale destructive changes if the input JSON is malicious, incorrect, or produced from an untrusted repository.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The INFO prompt duplicates destructive file-modification behavior, including overwrite semantics and no-confirmation execution, despite being presented as an informational command. This is particularly dangerous because users or calling code may invoke 'info' under the assumption that it is safe, unintentionally causing repository modifications.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Emitting raw author and committer email addresses without redaction or warning can leak personal and internal contact information into logs, terminals, copied prompts, or third-party AI systems. In this skill context, that is more dangerous because the tool is specifically designed to package repository data for transfer to external AI workflows.

Ssd 3

Medium
Confidence
92% confidence
Finding
The skill advertises complete file content in JSON output, which can expose proprietary code, secrets accidentally committed to the repository, or sensitive internal configuration in a format easily copied to other systems. Because the output is intended for AI-agent consumption, it increases the likelihood of broad redistribution beyond the original trust boundary.

Ssd 3

Medium
Confidence
94% confidence
Finding
The workflow tells agents to read all code files and pass their contents as JSON to another AI system, creating a straightforward exfiltration channel for repository data. Even if intended for code sync, this broad transfer exceeds minimal necessity and can leak confidential source, credentials, or business logic to downstream processors.

Ssd 3

Medium
Confidence
94% confidence
Finding
The documented message format instructs users to send structured JSON containing repository files to another AI system for execution. This normalizes plain-language transfer of full code and may inadvertently disclose sensitive project material to third-party models or logs outside the user's intended environment.

Ssd 3

Medium
Confidence
91% confidence
Finding
The `info` command is described as returning complete file content for all changed files, which encourages broad disclosure when many use cases only need filenames, stats, or diffs. Exposing full changed-file contents increases the chance that secrets or sensitive code are surfaced in outputs, stored in logs, or relayed onward.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal