ClawHub

Devops Pipeline Management

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate DevOps pipeline management skill, but it can run, cancel, delete, and overwrite CI/CD pipelines with insufficient guardrails in several paths.

Install only for trusted DevOps users and use it against non-production or least-privilege accounts first. Require explicit human confirmation for run, cancel, delete, save, and update actions; avoid non-interactive creation helpers unless reviewed; and treat printed request/response bodies and console logs as sensitive because they may contain internal infrastructure details or secrets.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (33)

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The document explicitly states that stage/step/task IDs must be preserved during updates, but the example code generates a new UUID for a task during an update flow. In a pipeline-management skill, inconsistent ID handling can corrupt task references, create duplicate or orphaned task definitions, and cause unintended changes to production CI/CD configurations.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The reference explicitly documents the `OrderAction` task type with a free-form `script` field (`echo hello` as example), which enables arbitrary command execution on pipeline runners or connected environments. In a DevOps pipeline-management skill, this is materially dangerous because it can be repurposed to run destructive shell commands, exfiltrate secrets, alter artifacts, or pivot into deployment targets.

Description-Behavior Mismatch

High
Confidence
92% confidence
Finding
The schema explicitly allows a free-form `script` field described as a shell command script, which enables arbitrary command execution inside a pipeline task. In a DevOps pipeline-management skill, execution features are expected, but exposing unconstrained shell execution substantially increases the blast radius because users or downstream components can run arbitrary OS commands, access secrets available to the runner, modify artifacts, or pivot to connected systems.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The code presents an interactive template-selection flow but then unconditionally overwrites the choice with the first template in the list. In a DevOps pipeline-creation skill, this can silently create pipelines from an unintended template, leading to incorrect build steps, unsafe defaults, or execution of the wrong automation in a sensitive CI/CD environment.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The `confirm()` helper ignores its `default` parameter on EOF and always returns `True`, causing all confirmation gates to fail open in non-interactive contexts. Because this script creates and can execute pipelines, the behavior can turn read-like automation into unintended remote write and run actions without effective operator approval.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger examples include short, natural-language phrases that can overlap with ordinary conversation, increasing the risk of unintended command activation. In a skill that can run, cancel, or delete pipelines, ambiguous activation can cause unauthorized or accidental operational changes even without explicit malicious input.

Missing User Warnings

High
Confidence
97% confidence
Finding
The README documents automatic triggering for create, run, cancel, and delete operations without clearly requiring user confirmation before executing state-changing actions. In DevOps pipeline management, such actions can disrupt deployments, destroy configuration, or stop active jobs, so missing confirmation materially increases the chance of harmful accidental execution.

Vague Triggers

Medium
Confidence
77% confidence
Finding
The trigger scenarios are generic activity descriptions like searching, executing, or checking status, rather than tightly scoped invocation conditions. Broad triggers can cause accidental activation in unrelated conversations, which is especially risky here because the skill can perform destructive or sensitive actions such as pipeline execution and deletion.

Vague Triggers

High
Confidence
97% confidence
Finding
The trigger list includes extremely broad terms like '新建' and '创建', which can match many unrelated user requests and cause the skill to activate outside its intended DevOps context. In a high-impact skill that can create pipelines and later influence execution workflows, overbroad activation increases the chance of unintended state-changing operations from ambiguous prompts.

Vague Triggers

Medium
Confidence
94% confidence
Finding
Repeating ambiguous keywords in manifest-style metadata without scope guards makes accidental routing more likely and reinforces unsafe activation behavior. This is especially risky because the skill performs write operations, so a weak intent filter can translate ordinary 'create' requests into pipeline-management actions.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrase list includes the broad term "编辑流水线" (edit pipeline), which can match generic user requests that are not specifically asking to retrieve pipeline details. In an agent system, overly broad triggers can cause this skill to activate unexpectedly and expose full pipeline configuration data, including repository URLs and trigger metadata, to users or workflows that only intended a general editing action.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill description states that it returns complete pipeline configuration information but does not warn that the response may contain sensitive operational metadata such as repository URLs, branch names, workspace identifiers, stage structure, and trigger settings. Without explicit warning and minimization guidance, users and downstream agents may retrieve or display more sensitive configuration data than necessary, increasing the risk of information disclosure.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This skill enumerates execution-history data that includes potentially sensitive operational metadata such as trigger user, creator, Jenkins job URLs, code source details, remarks, and timing information, yet it provides no warning, minimization guidance, or privacy notice. In a DevOps context, such metadata can enable internal reconnaissance, reveal personnel and infrastructure details, and expose information that should only be surfaced on a need-to-know basis.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger keywords include broad everyday phrases like '执行详情' and '查看执行结果', which can cause the skill to activate in contexts where the user did not explicitly intend pipeline-log retrieval. In this skill, unintended activation is more dangerous because the documented behavior includes querying execution details and, on failure, automatically fetching and analyzing console logs that may expose internal operational data.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The document mandates automatic retrieval and analysis of Jenkins console logs for failed runs but does not warn that logs may contain secrets, access tokens, internal URLs, stack traces, or personal data. In a DevOps pipeline-management context, console logs are especially sensitive, so unconditional collection and summarization increases the risk of overexposure and downstream leakage to the user or model output.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This skill explicitly guides the agent to execute pipelines, including build, test, image, and deployment tasks, but it does not clearly warn that running a pipeline can mutate external systems, publish artifacts, deploy code, or trigger downstream automation. In this context, the omission is dangerous because the document is operational and prescriptive, increasing the chance that an agent will perform a high-impact action without adequate user confirmation or risk disclosure.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger list includes very broad phrases like “删除任务”, “移除任务”, and “删除节点”, which can match common user language outside a tightly scoped pipeline-management intent. In a skill that performs destructive pipeline modifications, over-broad activation increases the chance the wrong skill is invoked and a user is led into a deletion workflow for sensitive CI/CD configuration.

Missing User Warnings

High
Confidence
95% confidence
Finding
The documentation states that updates are full replacements and omitted fields will be cleared, but it does not present a prominent user-facing destructive-action warning at the point of use. In a DevOps pipeline context, this can lead to accidental deletion of stages, triggers, sources, or task data, potentially breaking build/deploy processes or disrupting production delivery.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The CLI save examples show direct execution of overwrite-capable update commands without requiring confirmation, dry-run, or backup guidance. In a pipeline-management skill, users may copy-paste these commands and unintentionally overwrite critical CI/CD settings, causing outages or failed deployments.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document provides ready-to-use examples for running pipelines, deploying to hosts, and executing commands, but offers no safety guidance, approvals, or warnings about side effects. In this skill context, these actions can trigger real builds, deployments, service changes, and host modifications, so omission of guardrails meaningfully increases the chance of accidental or abusive high-impact operations.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
Build console logs often contain secrets, tokens, internal URLs, stack traces, and sensitive source or deployment details. In a DevOps pipeline-management skill, exposing log retrieval without any privacy or sensitivity guidance increases the chance that an agent surfaces confidential operational data to the wrong user or broader context.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
This document describes state-changing operations such as manual pipeline execution and cancellation without clearly warning that they can trigger real deployments, builds, or interrupt active jobs. In a DevOps pipeline-management skill, that omission is more dangerous because an agent may translate user requests into production-affecting actions without sufficient confirmation or risk signaling.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The cancel API lacks a warning about the consequences of interrupting in-flight jobs, which can leave builds, deployments, or downstream systems in a partial or inconsistent state. In this skill context, cancellation is operationally sensitive, so missing cautions increase the chance of harmful agent-assisted actions.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document repeatedly instructs printing the fully assembled pipeline data, and the example task payload includes fields such as scripts, artifact settings, environment-related values, and IDs derived from remote template content. In a DevOps context, pipeline definitions often contain sensitive internal configuration, so indiscriminate logging can leak secrets or operational metadata to console logs, CI logs, or shared debugging outputs.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The complete example performs a live HTTP fetch of template data and then prints the resulting assembled structure without any warning, sanitization, or output controls. Because the source is remote and user-selected, this expands the risk: untrusted or sensitive template content can be echoed into logs, exposing internal build scripts, repository information, deployment parameters, and other confidential pipeline metadata.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal