ClawHub

bot

Security checks across malware telemetry and agentic risk

Overview

This is a coherent local agent framework, but its memory helper can access files outside the advertised memory folder, so it needs review before use.

Install only in a virtual environment and use the monitor with non-sensitive prompts. Do not pass untrusted role or agent IDs to the memory helpers until path validation is added, and do not treat the policy executor as a real sandbox; only register trusted local callables.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Tainted flow: 'path' from os.environ.get (line 13, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
def save_memory(agent_id: str, data: dict):
    path = os.path.join(MEMORY_PATH, f"{agent_id}.json")
    with open(path, "w", encoding="utf-8") as f:
        json.dump(data, f, indent=2, ensure_ascii=False)

def load_memory(agent_id: str):
Confidence
95% confidence
Finding
with open(path, "w", encoding="utf-8") as f:

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The function explicitly renders the agent's chain-of-thought to the terminal, which can expose sensitive internal reasoning, hidden policy logic, secrets echoed during deliberation, or prompt-derived confidential data to any local observer or logs capturing terminal output. In an agent framework, this is especially risky because internal reasoning often contains more information than the final answer and is not intended for user disclosure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The handler renders both the prompt and the full raw JSON payload directly into a local web page, which can expose sensitive internal reasoning data, agent state, or prompts to anyone with access to the listening interface. Although bound to 127.0.0.1 by default, local exposure is still meaningful in multi-user systems, shared workstations, browser-sync setups, port forwarding, or malware-assisted localhost access, and there is no authentication, redaction, or user warning.

Ssd 3

Medium
Confidence
93% confidence
Finding
The coordinator returns the original user prompt plus each agent's `thought_process` in a structured response, which can expose sensitive user input, hidden chain-of-thought, tool context, credentials, or policy/debug data to callers and downstream logs. In a multi-agent framework, aggregating all agents' internal reasoning increases the attack surface because one agent may surface sensitive data produced or observed by another.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal