ClawHub

workspace-backup-github

Security checks across malware telemetry and agentic risk

Overview

This backup skill does what it says, but it asks users to expose a GitHub token and may upload sensitive workspace files, so it needs careful review before use.

Only install after reviewing exactly what will be committed and where it will be pushed. Do not paste a GitHub token into chat or store it in a git remote URL; use a safer auth method such as GitHub CLI, a credential helper, or a narrowly scoped token stored outside conversation history. Use a private repository, scan the backup set for secrets, and avoid restore unless you have a current local copy because it may overwrite workspace state.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The skill claims backups contain no credentials, but elsewhere instructs use of a Git remote URL containing a GitHub token. Embedding a token in remote configuration can expose credentials through shell history, process listings, git config, logs, screenshots, or accidental backup of `.git/config`, enabling repository compromise.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Broad triggers like 'backup', 'auto backup', and 'sync to github' can activate during ordinary conversation without clear user intent. In a skill that handles repository actions and sensitive workspace content, accidental invocation could lead to unwanted data collection, prompting for secrets, or unintended backup operations.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The activation conditions are ambiguous and lack boundaries, making it easy for the skill to engage on casual mentions of backup-related terms. Because the skill's documented behavior includes credential collection and remote data transfer, ambiguous activation materially increases the chance of unsafe or unintended execution.

Missing User Warnings

High
Confidence
99% confidence
Finding
The setup flow asks the user to paste a GitHub token into chat without a strong warning or safer alternative. Chat transcripts may be logged, retained, visible to other tools/agents, or exposed in UI history, so collecting a live credential through natural language creates a direct credential disclosure path.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script silently reconfigures the Git remote and pushes workspace contents to GitHub, which can exfiltrate sensitive agent data, memory, prompts, or credentials if the target repository or token is incorrect or attacker-controlled. In this skill context, the behavior is expected for a backup tool, but the lack of an explicit confirmation step, repository validation, and clear disclosure makes accidental or unauthorized data transfer materially risky.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script accepts a GitHub token as a positional argument and embeds it directly into the remote URL, which exposes the credential through process arguments, shell history, Git configuration, and command output paths. This can lead to token theft and subsequent repository compromise or broader GitHub account access depending on token scope.

Ssd 3

High
Confidence
99% confidence
Finding
This setup explicitly solicits a GitHub access token through conversation, creating a sensitive-data collection channel. If the token is intercepted, logged, or mishandled, an attacker could gain control over private repositories and potentially pivot to source code theft, tampering, or broader account abuse depending on token scope.

Ssd 3

Medium
Confidence
93% confidence
Finding
The documented backup scope includes memory, user, identity, and agent configuration files that may contain sensitive personal, behavioral, or operational information. Sending these files to GitHub, even a private repository, increases exposure if the repo is misconfigured, shared, compromised, or accessed by others with repository permissions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal