Skill Release Pipeline

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it helps publish OpenClaw skills to GitHub and ClawHub, but users should review files before running the push/publish scripts.

Before running the GitHub or full publish scripts, inspect the target skill folder, run git status, confirm the remote repository and ClawHub slug, and make sure no private files or secrets will be included by git add -A.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The script stages all files, commits them, and pushes to a user-specified GitHub repository without any confirmation prompt, dry-run, filtering, or warning that repository contents will be transmitted off-host. In an agent or automation context, this creates a real risk of unintentionally exfiltrating secrets, local credentials, build artifacts, or other sensitive files that happen to be present in the folder.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal