ClawHub

Bitbucket Toolbox

Security checks across malware telemetry and agentic risk

Overview

This Bitbucket review skill is mostly read-only against Bitbucket, but it also requires saving full PR reviews locally for email pickup while elsewhere claiming no local storage.

Install only if you are comfortable with the agent reading Bitbucket data available to the token and saving full markdown PR reviews under the skill's reviews directory for possible email delivery. Use a dedicated read-only token limited to the needed workspace or repositories, confirm who receives the generated emails, and define retention or cleanup for exported reviews.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The skill claims there is no local file I/O, yet it instructs the agent to write full PR reviews to disk for downstream email workflows. This discrepancy is dangerous because repository-derived content, including potentially sensitive code insights, can be persisted locally and then redistributed without users understanding that storage and secondary transmission occur.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The manifest frames the skill as a read-only Bitbucket browsing/review wrapper, but the documented behavior includes writing generated review artifacts to local storage. While this does not modify Bitbucket state, it expands the skill's data-handling surface beyond what operators may expect, increasing the risk of sensitive review material being stored or propagated locally.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill description frames this tool as optimized for pull request code analysis, but the command surface also permits broad repository enumeration, branch/commit history access, and arbitrary file reads via `repos`, `branches`, `commits`, `file`, and `ls`. In an agent context, that scope expansion matters because it enables access to repository content unrelated to the PR under review, increasing the chance of unnecessary data exposure or overcollection beyond the user's apparent intent.

Intent-Code Divergence

Low
Confidence
88% confidence
Finding
The security/header comments understate the tool's actual behavior by claiming PR-focused read-only use and saying no data is sent beyond the authorization header, while the implementation transmits repository names, branch names, file paths, and query strings to Bitbucket endpoints. Misleading security documentation can cause operators or agent frameworks to grant the skill more trust than warranted, weakening review and authorization decisions.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The safety/privacy section omits required filesystem writes and even contradicts them, which undermines informed consent and safe deployment decisions. In practice, operators may enable the skill believing it is non-persistent, while it actually stores review data that may contain sensitive repository information and commentary.

Ssd 3

Medium
Confidence
95% confidence
Finding
Exporting PR reviews to local files for automated email delivery creates a clear data exfiltration path for repository-derived information in natural-language form. Even if the Bitbucket access is read-only, the generated review may summarize proprietary code, vulnerabilities, architecture details, or secrets spotted in diffs, which can then be leaked through local storage or email distribution.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal