ClawHub

Collaborative Agent

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent multi-agent workflow helper, but it asks for broad automatic capability execution and skill-evolution behavior without clear user approval or scoping.

Review this skill before installing if your environment has powerful registered capabilities, private data stores, or tools that can modify files, accounts, services, or installed skills. Prefer using it only where capability execution requires explicit approval and where SkillEvolver logging or behavior changes are understood and controllable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger section is overly broad, describing generic complex/research/code-generation scenarios without clear boundaries, exclusions, or user-confirmation requirements. In a skill that orchestrates multiple agents and downstream capability execution, vague activation conditions increase the chance the skill is invoked in unintended contexts and performs actions beyond user expectations.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The integration section states that the skill will automatically call `capability_executor.detect_and_execute()` on registered capabilities, but the documentation does not prominently warn users that automatic execution may occur. This is dangerous because a collaborative multi-agent workflow can silently escalate from planning into real tool or capability execution, increasing the risk of unintended side effects, unsafe actions, or abuse of powerful registered capabilities.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal