ClawHub

Auto Deploy

Security checks across malware telemetry and agentic risk

Overview

This skill matches an auto-deployment purpose, but it ships real-looking credentials and root-level deployment automation that could change or damage a live server.

Review before installing. Only use this for systems you own, rotate the exposed Git and root passwords, remove hardcoded secrets, use a least-privilege deploy user, validate deployment paths, and require explicit approval before any code push, SSH key installation, deployment, restart, rollback, or package installation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (22)

Intent-Code Divergence

Low
Confidence
95% confidence
Finding
The README instructs users to configure SSH access and deploy as root, which violates least-privilege and creates a high-impact path for full server compromise if the agent, its credentials, or deployment workflow are abused. Although the document later recommends a non-root deploy user, the primary setup flow normalizes root-based automation, making accidental or malicious destructive actions much more dangerous.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
This file is presented as a configuration completion report, but it also authorizes broad operational behavior including code changes, commits, builds, deployment, and rollback. That mismatch can mislead users and downstream agents into treating an operationally dangerous skill as informational, increasing the chance of unintended privileged actions.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The document states that sensitive operations require user confirmation, but the described workflow still performs code push, deployment, and service restart automatically. This mismatch can cause an agent to take production-impacting actions without explicit approval, increasing the risk of unintended changes, outages, or unauthorized deployment.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The document discloses concrete server access details, including a reusable SSH public key, a root login target, and a plaintext password. Even though the key shown is a public key, bundling it with host and password information materially lowers the barrier to unauthorized access attempts and normalizes insecure credential handling in an agent skill.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The script embeds a plaintext root password and uses it to authenticate non-interactively to a remote host, which is far riskier than the comment suggests. Hardcoded administrative credentials can be recovered from source control, logs, backups, or local file access and enable direct privileged access to the target server.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The configuration explicitly uses the root account for SSH deployment to a production path, which increases the blast radius of any deployment mistake or credential compromise. Although this appears to be standard operational documentation rather than overtly malicious content, encouraging root-based deployment without a stronger warning or least-privilege guidance is unsafe.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The invocation phrase is a broad natural-language request that could plausibly arise in normal conversation and trigger code development and deployment actions unintentionally. In a skill that performs high-impact operations, ambiguous activation increases the risk of accidental execution, prompt injection via relayed user content, or misuse through casual phrasing.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README promises fully automatic development, commit, build, and deployment from a simple user request without prominent warning or approval requirements. In context, this is dangerous because the skill is wired to privileged tooling and remote access, so a single prompt could lead to unauthorized code changes, production deployment, or service disruption.

Vague Triggers

High
Confidence
97% confidence
Finding
The natural-language triggers are broad phrases such as requests to add features or deploy code, which can easily overlap with normal conversational requests. In a skill with deployment capability, this can cause accidental invocation of repository access, builds, server changes, or rollbacks without the user's informed intent.

Missing User Warnings

High
Confidence
96% confidence
Finding
The document describes a full automated pipeline including code pull, build, packaging, backup, upload, restart, and health checks, but it does not provide a prominent warning about service impact, data risk, or operational consequences. Users may trigger disruptive production actions without understanding that the skill can alter live systems and affect availability.

Missing User Warnings

High
Confidence
98% confidence
Finding
The closing text promises automatic end-to-end development, commit, build, and deployment on the user's behalf without clarifying boundaries or requiring consent checkpoints. This creates a high-risk automation path where ordinary requests may lead directly to privileged code and infrastructure changes.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill is framed as automatically pulling code, modifying it, pushing to Git, deploying to servers, restarting services, and performing rollback actions, but it does not present an upfront warning that these are impactful operations. In an agent setting, this can normalize high-risk behavior and lead to unauthorized changes to source control and production systems.

Missing User Warnings

High
Confidence
99% confidence
Finding
The file explicitly instructs users to use a plaintext password and even passes it on the command line via sshpass, which can expose it to shell history, process listings, logs, and screenshots. This is dangerous because it encourages insecure operational practices around a live server credential and could directly lead to credential compromise.

Missing User Warnings

High
Confidence
99% confidence
Finding
The script hardcodes a root password directly in source code, which exposes credentials to anyone with file, repository, log, backup, or process access. Combined with the target IP and root username, this can enable immediate unauthorized administrative access to the server.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script modifies the remote root user's authorized_keys without confirmation, which changes long-term authentication state on the server. In this context, it is especially sensitive because it grants persistent access to the root account, not just a temporary session change.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script accesses and transmits a credential without any warning, consent, or secure handling, and the credential is stored directly in the file as plaintext. In this context, the issue is especially dangerous because the credential is for the root account on a specific server, making accidental disclosure or reuse highly damaging.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script reads Git credentials from a config file and interpolates them directly into an HTTP clone URL executed on the remote host. This can expose secrets via process listings, shell history, logs, crash output, or the checked-in config file itself, and the deployment context makes it more dangerous because these are live infrastructure credentials used during automated production deployment.

Missing User Warnings

High
Confidence
89% confidence
Finding
The script performs a remote recursive deletion of the deployment directory contents with no validation, prompt, or safety guard. If DEPLOY_PATH is empty, malformed, or unexpectedly broad due to config error or tampering, this can wipe unintended files on the target server and cause outage or data loss.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script downloads NodeSource setup code over the network and immediately executes it with bash as root, which is a classic supply-chain risk. If the remote endpoint, DNS, TLS trust chain, or network path is compromised, arbitrary commands could run during installation with full system privileges.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script uses SSH with StrictHostKeyChecking=no during its connection test, which disables host identity verification and makes man-in-the-middle attacks easier. In a deployment/setup context, this is a real security weakness because users may trust the result and continue configuring a hostile or spoofed server without noticing.

Missing User Warnings

High
Confidence
99% confidence
Finding
The script hardcodes and prints sensitive access information, including a root username, server IP, and plaintext password, and guides the operator to use them directly. Exposing privileged credentials in source code and console output can enable unauthorized server access by anyone who can read the file or logs.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script displays SSH public key material and instructs the user to append it to root's authorized_keys, which grants persistent remote access. In this context, the behavior is more dangerous because it explicitly establishes root SSH access on a target server without validation, audit controls, or user safety checks.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal