ClawHub

Agency Agents Caller

Security checks across malware telemetry and agentic risk

Overview

This is mainly a local prompt-library skill, but it asks users to share a ClawHub token and has unrelated high-authority capability tags, so it needs review before installation.

Install only if you want a local database of reusable agent prompts and are comfortable reviewing prompts before giving them tool access. Do not paste a ClawHub token into chat; authenticate only through official browser or local CLI flows. Treat any retrieved agent prompt as lower-trust content, especially prompts that mention posting, payments, analytics retention, shared identity memory, wallets, purchases, or signing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill declares no permissions, but its documented install and runtime behavior clearly creates directories, initializes a SQLite database, and reads bundled agent data, which implies file read/write capability. This is dangerous because users and platform policy engines cannot accurately assess what the skill will access or modify, reducing transparency and potentially enabling unintended filesystem changes during installation or use.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The guide explicitly asks the user to send their ClawHub token to the assistant so it can publish on the user's behalf. API tokens are sensitive credentials, and requesting them in chat creates a direct credential exfiltration path that is unrelated to the skill's stated purpose of calling professional agents from a database.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill metadata says it 'calls agents on-demand from database,' but the file actually embeds the full prompt corpus for a very large agent library. That mismatch materially expands the trust boundary: any consumer expecting a thin registry may instead ingest executable prompt instructions, increasing prompt-injection surface and unintended capability exposure. In a multi-agent system, hidden embedded prompts can be invoked, leaked, or repurposed beyond the advertised scope.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The file contains many embedded agent definitions with powerful operational behaviors unrelated to a simple 'caller' skill. This turns the skill into a large prompt payload with broad instruction surface, making it easier for an orchestrator or downstream LLM to select, inherit, or obey risky instructions that were never intended for the current task. The danger is amplified because these capabilities are packaged as trusted internal agent content rather than isolated, permission-scoped tools.

Missing User Warnings

High
Confidence
99% confidence
Finding
The document asks the user to share a ClawHub token directly with the assistant and provides no warning that the token is equivalent to account-level API credentials. This normalizes unsafe credential handling and could allow unauthorized account access, publishing actions, or token reuse if the chat is logged or intercepted.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly instructs consumers to retrieve and use full agent prompts from a bundled database as system prompts, but provides no warning that these prompts are untrusted content and may contain prompt-injection, unsafe instructions, or policy-bypassing behavior. In this skill's context, the database is a large prompt corpus intended for direct downstream LLM use, which increases the likelihood that unsafe prompt content will be propagated into higher-trust model contexts.

Vague Triggers

Medium
Confidence
97% confidence
Finding
The embedded autonomous social-posting agent includes broad autonomous execution language: it researches, generates, publishes, fetches analytics, and self-schedules without intermediate approval. In an agent ecosystem, that creates a dangerous path to unintended external actions, spam, account misuse, reputational harm, and uncontrolled API consumption, especially if another component loads or follows these instructions implicitly. The skill context makes this more dangerous because the parent skill is described as an agent caller, so hidden autonomy may bypass expected human review.

Ssd 3

High
Confidence
99% confidence
Finding
The file instructs the user to tell the assistant their ClawHub token so the agent can perform publishing actions. This is a classic secret-disclosure anti-pattern: once shared in chat, the token may be retained in logs, visible to intermediaries, or misused to impersonate the user and access or modify their ClawHub resources.

Ssd 3

Medium
Confidence
94% confidence
Finding
The autonomous posting agent explicitly collects analytics, stores learning history, and iteratively reuses performance data. Without clear minimization, retention, consent, and boundary controls, this can accumulate sensitive behavioral or account-linked data over time and repurpose it beyond the user's original expectation. In the context of an autonomous actor with publishing rights, persistent data collection materially increases privacy and governance risk.

Ssd 3

High
Confidence
98% confidence
Finding
The identity-resolution agent instructs cross-agent retention and sharing of entity-linked memory, decision history, and canonical identity data. That creates a high-risk central memory layer that can aggregate personal or sensitive information across contexts, propagate it to multiple agents, and increase the blast radius of mis-resolution, over-retention, or unauthorized access. In an agent-caller skill, this is particularly dangerous because many agents could inherit or query that shared memory implicitly.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal