Back to skill

Security audit

publish-skill-repo

Security checks across malware telemetry and agentic risk

Overview

This skill is a real publishing helper, but it can automatically publish local content and use stored credentials with too little confirmation.

Install only if you want an agent to publish skill projects to GitHub and ClawHub. Before using it, check the target repository owner/name, choose public versus private deliberately, review exactly which files will be committed, and confirm that copying your ClawHub token into the GitHub repo secret is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill instructs the agent to execute shell commands that can initialize repositories, create remotes, push commits and tags, and manipulate local project state, but it declares no permissions. This creates a dangerous mismatch between the skill's documented capabilities and the authority it expects, reducing transparency and increasing the risk of unexpected code execution and repository modification.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README advertises an automated flow that creates repositories, generates files, configures tokens/secrets, pushes code, and creates tags, but it does not clearly warn users that these are external, state-changing actions. In an agent-skill context, this increases the chance that a user invokes the skill casually and unintentionally causes publication or repository changes with real data exposure consequences.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
For new projects, the skill says to automatically run a script that performs destructive and externally visible actions such as git init, repository creation, secret setup, commit/push, and tagging, without requiring an explicit confirmation step immediately before execution. This can cause unintended publication of local content or irreversible repository state changes from a casual trigger.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill checks for authentication material such as gh login state and a ClawHub token file, but it does not clearly warn the user that these credentials will be accessed and potentially used to create repositories, set secrets, and publish content. Lack of disclosure around credential use undermines informed consent and can surprise users about the scope of external actions being performed.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script reads a locally stored ClawHub token and automatically uploads it to the target GitHub repository as a persistent secret without any explicit confirmation, scope validation, or destination review. This can unintentionally propagate sensitive credentials to the wrong repository or owner, especially because the repository may be created dynamically from user-supplied arguments.

Shadow Command Trigger

Medium
Category
Trigger Abuse
Confidence
83% confidence
Finding
The trigger 'deploy skill' overlaps semantically with a common built-in 'deploy' command and could cause accidental invocation in contexts where a user intends a different deployment action. Because this skill performs publishing and remote repository operations, trigger ambiguity raises the chance of unintended execution with meaningful side effects.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.