ClawHub

long-running-harness

Security checks across malware telemetry and agentic risk

Overview

This instruction-only project workflow skill is coherent and disclosed, but users should run it only in a clearly scoped workspace because it can guide agents to edit files, run setup scripts, commit changes, spawn subagents, and optionally schedule recurring checks.

Use this skill in a dedicated project directory, review generated init.sh and dependency files before allowing execution, check git status and diffs before commits, avoid storing secrets in progress.md or features.json, and enable cron checks only when you explicitly want recurring agent activity.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrases are broad project-management terms such as '继续开发', '管理任务列表', and 'project status', which can plausibly appear in ordinary conversation outside the intended scoped workflow. This creates a risk of accidental invocation of a skill that performs repository inspection, file mutations, and git-oriented workflow actions when the user may have intended a simple discussion or status query.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to create directories and files, run shell commands, execute init scripts, and perform git commits as part of normal operation, but it does not require an explicit user warning or confirmation before these side effects occur. In context, this is especially risky because the workflow is designed for long-running autonomous project management, so accidental or ambiguous activation could lead to persistent filesystem changes, execution of untrusted project scripts, and unintended version-control mutations.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The template explicitly says the agent should run init.sh at the start of every session, while the provided examples install dependencies, initialize databases, run auxiliary scripts, and start background services. In an agent skill context, encouraging repeated automatic execution of environment-changing scripts increases the chance of unintended code execution, dependency-side effects, data modification, or persistent processes without an explicit safety check or user confirmation.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal