ClawHub

Agent Caller

Security checks across malware telemetry and agentic risk

Overview

The core code is a local agent-prompt catalog, but the package includes unsafe credential-sharing guidance and high-impact agent prompts without enough user control warnings.

Review this package before installing. Do not share a ClawHub API token with the skill author, an assistant, or chat; use only official browser login or local CLI token entry. Treat the bundled agent prompts as untrusted templates, especially ones involving payments, posting, email, credentials, or persistent memory, and require explicit approvals and scoped tools before using them in another agent.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill declares and documents filesystem-affecting behavior in its installation steps and usage (`mkdir -p memory/database`, database initialization, and writing a SQLite DB) but does not declare corresponding permissions. This creates a transparency and consent problem: hosts or users may grant or execute the skill under the assumption it is non-invasive, while it can read/write local files and persist data.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The guide explicitly asks the user to disclose their ClawHub token to the skill operator ('tell me your ClawHub token, I’ll help you publish'). API tokens are sensitive credentials that grant account access, and requesting direct disclosure is unnecessary for a skill whose purpose is calling agents from a database, creating a clear path for credential theft and account misuse.

Context-Inappropriate Capability

High
Confidence
93% confidence
Finding
The registry includes agent definitions with powerful capabilities like payment execution, direct publishing, infrastructure changes, and autonomous routing that materially exceed the parent skill's stated purpose of 'calling agents from a database.' If a caller can select arbitrary agents from this dataset without strict authorization and tool gating, this becomes a capability-escalation surface that could trigger real-world actions far outside user intent.

Missing User Warnings

High
Confidence
98% confidence
Finding
The document tells the user to share a ClawHub token without any warning that the token is equivalent to a secret credential or that safer alternatives exist. This materially increases the likelihood of unsafe credential handling, token leakage, and unauthorized access to the user's account or publishing capabilities.

Missing User Warnings

Medium
Confidence
72% confidence
Finding
The usage section explicitly instructs users to run initialization, verification, and import scripts without warning that these commands will create directories, write to a SQLite database, and import local data. In a skill that automates agent setup and database population, this increases the chance that a user runs state-changing commands without understanding local impact, which is unsafe even if not overtly malicious.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document promotes automatic database initialization and agent import as a feature but does not disclose that running the initialization changes local state by creating or modifying a database and importing 179 records. In a skill that distributes prebuilt agent prompts from JSON into a database, this omission can lead users to run a data-modifying setup step without informed consent, which increases the risk of unintended writes, duplicate content, or ingestion of unreviewed prompt data.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The installation example directly instructs users to run `python scripts/init_database.py` while describing the step as automatic import of 179 agents, but it provides no warning that this performs local state changes. Because this skill centers on importing a large bundled dataset of agent prompts into a database, the lack of disclosure is materially risky: users may execute the command expecting verification or setup only, not data creation and persistent modification.

Missing User Warnings

Low
Confidence
91% confidence
Finding
The README explicitly encourages retrieving complete agent prompts from a local database and using them as system prompts in downstream LLM calls, but provides no warning that these prompts are untrusted content and may contain prompt injection, unsafe instructions, secrets, or policy-bypassing text. In this skill's context, the database is a bulk repository of 179 agent definitions and even supports adding custom agents, which increases the chance that consumers will blindly elevate stored prompt text into a privileged context.

Vague Triggers

Medium
Confidence
87% confidence
Finding
Broad agent role definitions without invocation boundaries or explicit exclusions make it easier for downstream orchestrators to over-delegate tasks or expose sensitive operations to the wrong context. In a large catalog, ambiguous scope increases the chance that a benign request is routed to an overpowered persona with unexpected behaviors or tool assumptions.

Vague Triggers

High
Confidence
97% confidence
Finding
The Carousel Growth Engine explicitly promotes autonomous end-to-end behavior: researching arbitrary URLs, generating content, publishing to external platforms, fetching analytics, and iterating without confirmation. That combination of broad autonomy, external network actions, and publication authority creates a high-risk pathway for unauthorized posting, abusive automation, or exfiltration through third-party services.

Ssd 3

High
Confidence
99% confidence
Finding
The guide requests that the user provide their ClawHub token so it can be used on their behalf, which is a direct credential-harvesting pattern. In the context of a third-party skill, this is especially dangerous because the operator could publish code, access account resources, or perform actions impersonating the user without meaningful oversight.

Ssd 3

Medium
Confidence
75% confidence
Finding
Instructions to retain user interaction and payment details across sessions create unnecessary persistence of sensitive financial and behavioral data. If implemented broadly, this expands privacy risk, retention liability, and the blast radius of any compromise, especially when the parent skill is just an agent catalog rather than a payment platform with defined data minimization rules.

Ssd 3

High
Confidence
96% confidence
Finding
The email intelligence agent instructs ingestion, reconstruction, and retention of raw email threads, attachments, participant graphs, and contextual data for downstream agent use. Email content routinely contains PII, credentials, contracts, financial data, and sensitive attachments, so broad retention and reuse significantly increase exposure and create a high-impact privacy and data-governance risk if the containing system lacks strict minimization and access controls.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal