ClawHub

Publish Skill Publisher

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate publishing helper, but it tells the agent to use local GitHub and ClawHub credentials without asking first.

Review before installing. Use it only with least-privilege GitHub and ClawHub tokens, require confirmation before reading ~/.env, publishing, pushing branches, creating PRs, or changing proxy settings, and inspect the generated package before upload.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill instructs the agent to automatically read GitHub and ClawHub credentials from the shell environment and `~/.env` without prior approval. Accessing secrets from the user's home environment is broader than necessary for a generic publishing workflow and creates clear risk of credential exposure or misuse if the skill or surrounding tooling is compromised.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill tells the agent to source `~/.env`, extract proxy settings, and even uncomment and export values for the session. This is an environment manipulation step outside the core publishing task and can alter network routing in ways the user may not expect, including directing traffic through untrusted infrastructure.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation explicitly says to read authentication tokens automatically and not ask the user, with no warning that sensitive credentials will be accessed. This bypasses informed consent for secret handling and increases the chance that highly privileged tokens are consumed in an opaque way.

Ssd 3

High
Confidence
99% confidence
Finding
Automatically reading authentication tokens from local environment files without first asking the user is a direct secret-access anti-pattern. In the context of a publishing skill that also interacts with external services, those credentials could be used immediately for API calls, repository operations, or publication actions beyond what the user intended.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal