ClawHub

publish-skill-repo

Security checks across malware telemetry and agentic risk

Overview

This skill matches its publishing purpose, but it can automatically publish local code, alter GitHub repositories, and persist credentials/workflows with limited confirmation.

Install only if you are comfortable with an agent publishing repositories for you. Use it in a clean skill-only directory, check `.gitignore` and staged files first, confirm the GitHub account, owner, repository name, and public/private setting, and review the generated workflow and stored ClawHub token before pushing tags.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill performs shell-based actions that can initialize git repositories, create remotes, set secrets, push commits, and create tags, yet it declares no permissions or safety boundary for those capabilities. In an agent environment, this under-specification is dangerous because the skill can make high-impact local and remote state changes without an explicit permission model or user-visible warning about shell execution.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script silently creates a new GitHub Actions workflow and configures it to publish on tag pushes, which materially changes the repository's automation surface beyond a simple one-time publish action. In the skill context, this is risky because it persists future behavior in the repo and can cause unintended external publication whenever matching tags are pushed.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The script runs 'git add .' and commits all staged changes, which can include unrelated files, secrets, build artifacts, or user work not intended for publication. In a publishing skill, this is especially dangerous because users may expect only release-related files to be touched, not a blanket commit of the entire working tree.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The script may automatically switch branches, merge the current branch into the main branch, and push to origin without an interactive review or confirmation. That can overwrite expected release flow, publish unreviewed code, and trigger downstream automation from the main branch.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
For new repositories, the script automatically creates and pushes a 'v1.0.0' tag, which immediately triggers the workflow-based publication flow. This bypasses the manifest-described confirmation/version selection behavior and can cause accidental release of an unreviewed initial state.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The new-project flow instructs the agent to automatically run a script that initializes git, creates a repository, sets secrets, commits, pushes, and tags without requiring an explicit confirmation checkpoint for those remote-modifying actions. In a publish/deploy skill, that context makes the issue more dangerous because users may invoke it expecting assistance, but the skill can perform irreversible or externally visible operations immediately.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script reads a local credential file and uploads the token into GitHub repository secrets without a separate consent step. Although repository secrets are intended storage, silently transferring a credential from local disk to a remote service is a sensitive operation that broadens credential exposure and trust boundaries.

Session Persistence

Medium
Category
Rogue Agent
Content
1. 打开 https://clawhub.ai/
2. 点击 **"Login with GitHub"** 登录
3. 进入 **Settings** → **API tokens** → **"Create token"**
4. 复制生成的 Token(格式:`clh_iVnxxxxxxxx...`)

Token 仅显示一次,请立即保存:
Confidence
91% confidence
Finding
Create token"** 4. 复制生成的 Token(格式:`clh_iVnxxxxxxxx...`) Token 仅显示一次,请立即保存: ```bash mkdir -p ~/.clawhub echo "your-clawhub-token" > ~/.clawhub/secret_token chmod 600 ~/.clawhub

Shadow Command Trigger

Medium
Category
Trigger Abuse
Confidence
86% confidence
Finding
The trigger 'deploy skill' can conflict with a built-in 'deploy' command, creating ambiguity over which action the agent should execute. In this skill's context, that ambiguity is risky because the skill performs publication and repository mutation steps, so an accidental invocation could lead to unintended pushes, tagging, or repo creation.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal