ClawHub

Hackathon Swarm Coding

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed autonomous code generator, but its file-writing code does not confine model-generated paths to the intended project directory.

Install only in an isolated workspace with a scoped OpenRouter key. Do not include secrets or confidential data in prompts, review and clean DECISIONS.md, .learnings, raw.txt, and generated files, and do not run generated code until you have inspected it. The publisher should add strict path containment for all generated file paths before this skill is treated as routine.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill explicitly reads environment variables from a parent workspace, makes outbound API requests, and writes files, yet it does not declare permissions for env, network, or shell access. That mismatch weakens user awareness and platform enforcement, increasing the chance that the skill is run with broader access than the user expects.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The description frames the skill as code generation, but the documented behavior also includes reading a workspace .env, sending API-key-backed requests to OpenRouter, and persisting prompts, decisions, and learnings to shared workspace files. This is a material behavior gap because users may not realize secrets and sensitive prompt content can be accessed, transmitted, and retained.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The auto-integration trigger is activated by broad keywords such as 'blockchain', 'tokens', 'NFTs', and 'smart contracts', which can match casual discussion, documentation, or unrelated requests rather than explicit user consent to add wallet/auth infrastructure. In an autonomous code-generation skill, this can silently expand scope and introduce sensitive authentication or blockchain components, increasing attack surface and creating potentially unsafe code paths the user did not request.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code persists the raw user prompt into workspace artifacts such as DECISIONS.md and related project files without any sanitization, minimization, or disclosure. If prompts contain secrets, personal data, proprietary code, or internal URLs, this creates unintended retention and wider exposure to anyone with filesystem or artifact access.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The orchestrator stores full raw LLM responses in raw.txt, which may include echoed user data, generated credentials, internal design details, or unsafe content from the external model. Persisting this output broadens the data-retention surface and can expose sensitive information long after generation completes.

Ssd 3

Medium
Confidence
97% confidence
Finding
The skill warns that it stores prompts and agent reasoning in DECISIONS.md and .learnings/, and it writes those files into a shared parent workspace. This creates a direct data-retention and leakage risk because secrets, internal context, user corrections, and sensitive architecture details may be captured in long-lived plaintext artifacts accessible to other processes or future users of the workspace.

Ssd 3

Medium
Confidence
96% confidence
Finding
The continuous-improvement workflow explicitly instructs the system to preserve worker failures, user corrections, and execution context in long-lived learning logs. That institutionalizes accumulation of potentially sensitive natural-language data over time, increasing exposure surface and making accidental disclosure more likely.

Ssd 3

Medium
Confidence
96% confidence
Finding
The metadata explicitly states that project files, decision logs, user prompts, and agent reasoning are retained across runs, which creates a persistent natural-language data store containing potentially sensitive information. In a multi-agent coding system, these artifacts can capture secrets, internal architecture, proprietary prompts, or security-relevant reasoning that may later be exposed through workspace access, backups, or downstream tooling.

Ssd 3

Medium
Confidence
94% confidence
Finding
The warning confirms that DECISIONS.md and .learnings/ may contain sensitive prompts and architectural details, which indicates the system is knowingly designed to preserve private user data in durable artifacts. Because these outputs are written to shared workspace locations and retained across runs, the skill context makes leakage more dangerous by increasing the chance of unintended reuse, inspection by other processes, or accidental inclusion in source control.

Ssd 3

Medium
Confidence
90% confidence
Finding
The user prompt is copied into multiple long-lived files in plain text, increasing the number of locations where sensitive input may leak. This amplification makes accidental disclosure, over-sharing in repos, backups, or support bundles more likely.

Ssd 3

Medium
Confidence
93% confidence
Finding
The full user description is forwarded to an external LLM provider during planning without any sensitivity filtering or minimization. This can disclose secrets, proprietary requirements, or regulated data to a third party and may violate least-privilege handling of user content.

Ssd 3

Medium
Confidence
94% confidence
Finding
Each worker receives the full project prompt again, multiplying disclosure of potentially sensitive user content across repeated downstream model calls. Repetition also increases the chance that sensitive text is echoed into generated files, logs, or model outputs.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal