ClawHub

Github Ops

Security checks across malware telemetry and agentic risk

Overview

This skill can automate real GitHub publishing actions with stored credentials, but it does not clearly require user review before creating repositories, pushing code, releases, or deployments.

Install only if you want an agent to perform GitHub write actions with a stored token. Use a narrowly scoped token, confirm the target repository, visibility, branch, and files before any push or release, and avoid using it for workspaces that may contain secrets or private content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill manifest and stated scope cover GitHub repository, push, and release operations, but the documentation also advertises Vercel deployment and returning deployment URLs. This scope expansion is dangerous because it introduces additional external actions and data flows that are not declared, reducing transparency and bypassing least-privilege expectations for users and reviewers.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill instructs reading a GitHub token directly from a fixed local secrets file, giving the skill implicit access to sensitive credentials beyond what a user may intend for a single operation. In an agent context, this is dangerous because it enables autonomous use of persistent credentials for network actions without explicit per-action authorization or provenance checks.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The documentation claims no user token is needed while the manifest explicitly requires GITHUB_TOKEN, creating a misleading representation of how privileged actions are authorized. This mismatch is dangerous because it obscures credential use and can cause users or reviewers to underestimate the sensitivity of the operations being performed.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill description promotes fully automatic repository creation, code push, and release management with no mention of approval steps, privacy review, or destructive-action safeguards. In this context, the capability directly affects remote resources and can exfiltrate local content, making omission of warnings and consent mechanisms materially dangerous.

Missing User Warnings

High
Confidence
95% confidence
Finding
The examples and workflow normalize pushing local content to GitHub and triggering deployment without any warning about sending possibly sensitive files off-host. Because the skill is designed for automation, these examples encourage silent external publication and amplify the risk of accidental data disclosure or unintended deployment.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation shows direct use of a stored GitHub token and authenticated API calls without warning that credentials are being consumed and data is being sent to an external service. In a skill that advertises autonomous operation, this omission increases the chance of silent credential use and unreviewed data transmission.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal