ClawHub

多agent协同执行

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a disclosed local workshop workflow, but it includes under-scoped maintenance commands and unsafe network handling that users should review before installing.

Install only if you are comfortable with a workflow skill that writes workshop state locally and may use subagents. Avoid using the JD search feature with confidential tasks unless you accept sending query terms to Serper, and fix or avoid the TLS fallback. Do not run orchestrator cleanup unless you understand it will edit OpenClaw session state outside the workshop directory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The README frames the skill as a local package, but it also includes an optional feature that sends queries to external services via Serper and recruitment platforms. That mismatch can mislead operators into assuming no network/data egress risk, which is dangerous if task or role inputs contain sensitive business context.

Context-Inappropriate Capability

Medium
Confidence
80% confidence
Finding
The skill's main purpose is running a multi-role workshop, but it also adds external JD scraping/search functionality that is not tightly scoped to that purpose. Extra outbound capability increases attack surface and creates opportunities for unnecessary data exposure, especially when users may paste sensitive task descriptions into the role-generation flow.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The `cleanup` command performs out-of-scope modification of an external `sessions.json` file under OpenClaw infrastructure, which is unrelated to the workshop orchestrator's stated session/phase management purpose. This creates a dangerous cross-boundary side effect: invoking the skill can alter other agent state, delete entries matching `subagent`, and require a gateway restart, enabling accidental disruption or abuse if the command is triggered in the wrong environment.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code reaches outside the skill workspace (`WORKSPACE_ROOT.parent / agents / main / sessions / sessions.json`) and rewrites external agent infrastructure state, broadening the trust boundary far beyond workshop data. Because it deletes any key containing `subagent` based on a substring match, misuse or unexpected directory layout could corrupt shared orchestration state or disable unrelated agents, making this significantly more dangerous in a multi-agent environment.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README documents Serper-based external search but does not clearly warn that role, industry, and task inputs may be sent to a third-party service. In a workshop/planning context, those inputs can reveal confidential initiatives, internal projects, or regulated subject matter, making silent transmission a meaningful privacy and compliance risk.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger list includes broad natural-language activators like '圆桌' and '需求评审', which are common phrases that may appear in ordinary conversation. Overbroad triggers increase the chance of accidental invocation of a high-capability skill that can write files, manage state, and later orchestrate other tools, expanding the blast radius of a benign user utterance.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document explicitly permits writing runnable scripts into `workshops/<sid>/scripts/` via `generate_execution.py`, but it does not require a user-facing confirmation, safety review, or constraints on what may be generated. In an agentic environment, this can normalize silent creation of executable artifacts that may later be run, increasing the risk of unintended code execution, persistence, or workspace tampering.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
If certifi is unavailable, the script disables certificate verification by creating an unverified SSL context before sending an authenticated request. That exposes the Serper API key and response data to man-in-the-middle interception or tampering, especially on hostile or corporate networks.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal