ClawHub

Repomix

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Repomix helper for packaging repositories for AI analysis, with expected but important code privacy risks.

Install only if you are comfortable using Repomix on the repositories you choose. For private or proprietary code, narrow the scope with --include or --ignore, review the generated output before sharing it, avoid secret-bearing directories, consider pinning the npm package version instead of using @latest, and delete temporary analysis files when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill encourages packing local repositories into a single AI-friendly output file but does not warn users that this can consolidate sensitive source code, internal documentation, or secrets-adjacent material into one easily exfiltrated artifact. In this context, aggregation materially increases exposure risk because content that was previously scattered across many files becomes simpler to inspect, share, upload, or leak.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The remote repository workflow uses external tooling and network access but does not clearly disclose that repository identifiers and related request metadata will be transmitted over the network. While this is often expected for remote fetches, the omission still matters because users may not realize that their target selection and access patterns are being exposed to external services or infrastructure.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal