ClawHub

ai-pr-doctor

Security checks across malware telemetry and agentic risk

Overview

This skill is disclosed as PR automation, but it can change and merge GitHub PRs and publish reports to Feishu by default without strong user approval gates.

Install only for tightly controlled repositories. Use least-privilege GitHub credentials, protected branches, required checks, and trusted versions of the referenced skills. Set auto_merge=false and notify_feishu=false unless explicitly needed, confirm the Feishu folder and sharing permissions, and avoid cron or batch mode until merge and publication controls are clearly bounded.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The workflow sends PR-derived content to Feishu, an external system, even though the core skill is presented as PR diagnosis and bug fixing. PR titles, bodies, filenames, comments, and review output can contain sensitive code, secrets, internal issue references, or proprietary context, so this creates a real data exfiltration and third-party sharing risk.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The fallback for step2 says that if AI review fails, the workflow skips review and proceeds directly to auto-fix, undermining the normal safety gate. In a workflow that can automatically modify code and merge PRs, bypassing the review stage on failure can allow unsafe, unreviewed, or attacker-crafted changes to be executed and merged.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README explicitly promotes an automated workflow that can repair code, run tests, and merge PRs, but it does not state any approval gates, branch protections, permission scoping, or confirmation requirements before modifying repository state. In a PR automation skill, this omission is dangerous because users may enable or invoke the skill expecting analysis-only behavior while it performs write actions that can change code or merge unreviewed changes.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The usage example normalizes automatic merge immediately after tests pass, without mentioning that merging is irreversible in practice, may bypass expected human review, and can land unsafe or incorrect AI-generated fixes. Because this skill is specifically designed to act on GitHub PRs, the lack of cautions and safeguards materially increases the chance of unsafe repository modifications being triggered by users or automation.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger examples include broad natural-language phrases like “诊断这个 PR”, “代码审查这个 PR”, and “帮我看看这个 PR”, which are common conversational requests rather than tightly scoped invocations. In this skill, accidental activation is more dangerous because the workflow can fetch PR data, run automated fixes, and even auto-merge changes, so an unintended trigger could initiate impactful repository actions.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The declared triggers include very broad terms such as “代码审查” and especially “自动合并”, which can match routine user intent far beyond this specific skill. Because the skill chains into an auto-pr-merger step with write access and `auto_merge_if_passed: true`, ambiguous triggering materially increases the risk of unintended code modification or merge operations.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The workflow advertises automatic fixing and merging in broad terms and defaults auto_merge to true, without clearly constraining when that behavior is allowed. In security-sensitive CI/CD contexts, vague activation and permissive defaults increase the chance of unintended execution and unsafe merges, especially when inputs like PR URLs and test commands are user-controlled.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal