ClawHub

Nm Attune Mission Orchestrator

Security checks across malware telemetry and agentic risk

Overview

This workflow skill is not malicious, but it can create GitHub issues, edit project artifacts, persist local mission history, and reduce checkpoints from broad user phrases, so users should review it before installing.

Install only if you want an agent to manage an entire project lifecycle and you are comfortable with local .attune state files. Use supervised constraints, avoid --auto, and use --no-auto-issues unless you explicitly want it to create GitHub issues and update planning documents.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

Description-Behavior Mismatch

Medium
Confidence
80% confidence
Finding
The skill is presented as an orchestrator, but its documented workflow includes creating GitHub issues during post-phase triage, which is an external side effect beyond simple routing. This is dangerous because users may invoke it expecting coordination only, while it can create durable tracking artifacts in external systems without a clearly foregrounded warning or separate consent boundary.

Intent-Code Divergence

Medium
Confidence
73% confidence
Finding
The documentation states that the orchestrator delegates entirely and never re-implements phase logic, but later describes native logic such as validation, state persistence, checkpoints, directive parsing, review loops, and triage. This mismatch can mislead users and downstream agents about the skill's actual authority and behavior, increasing the chance of unexpected actions and weakened scrutiny.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The routing module expands from coordination into performing backlog triage that can trigger external issue creation and workflow mutations. In an orchestrator context, this is dangerous because users may invoke a seemingly administrative skill and unintentionally cause repository-side effects beyond phase routing, violating least surprise and increasing the chance of unauthorized or unintended changes.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The documented use of `gh issue create` performs a real external action against GitHub based on parsed artifact content, yet the parent skill is described as lifecycle orchestration rather than repository mutation. This creates a risk of unreviewed issue spam, disclosure of sensitive planning content to remote systems, and abuse if project documents are manipulated to generate unintended issues.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
Automatically rewriting phase artifacts to append issue references mutates project documentation as a side effect of orchestration. That is risky because it can silently alter authoritative planning artifacts, create integrity problems, and make downstream phases depend on tool-driven edits that were not user-reviewed.

Vague Triggers

High
Confidence
94% confidence
Finding
The trigger list contains broad terms such as 'mission,' 'orchestrator,' 'lifecycle,' and 'automation,' which are common in normal conversation and can cause accidental invocation. In this skill's context, accidental activation is more dangerous because the skill can persist state, alter workflow constraints, invoke multiple downstream skills, and potentially create external artifacts.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill documentation does not prominently warn users up front that it persists mission state to disk and may create GitHub issues as part of workflow triage. This lack of early disclosure undermines informed consent and can lead to unexpected retention of project data or external ticket creation during what appears to be a routine orchestration action.

Vague Triggers

High
Confidence
98% confidence
Finding
The module treats broad, common phrases like "go ahead," "I trust you," and "be autonomous" as security-relevant control signals that reduce oversight and suppress checkpoints. This creates an unsafe ambiguity where normal conversational language can unintentionally downgrade governance, making it easier for risky actions to proceed with less review than the user likely intended.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The design allows checkpoints to be silently skipped once a directive override is detected, but it does not require a prominent, user-facing warning explaining that review gates and approval prompts will no longer appear. Users may not understand that routine oversight has been materially reduced, increasing the chance of unintended autonomous behavior.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The skill explicitly documents persistent writes to `.attune/mission-state.json` and automatic creation of the `.attune/` directory, but it does not mention obtaining user consent or clearly warning that local files will be modified. In an orchestration skill that may be triggered during normal workflow, this can lead to unexpected filesystem changes, reduced user trust, and accidental persistence of potentially sensitive project state.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill describes automatic GitHub issue creation and artifact modification without an explicit warning or consent checkpoint about external side effects. In an automation/orchestrator skill, hidden side effects are especially dangerous because users may enable `--auto` expecting phase progression, not remote writes and document edits.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The `--auto` flag globally forces T3-like behavior and can bypass the graduated trust model, reducing user checkpoints for all skills regardless of their demonstrated reliability. In a workflow orchestrator that routes multi-phase project actions, this increases the chance of unsafe autonomous execution, especially if combined with broad mission scopes or misclassified operations.

Ssd 1

High
Confidence
97% confidence
Finding
The skill treats natural-language phrases like 'ignore scope guard,' 'don't keep asking,' and 'be autonomous' as directive overrides that relax constraints and suppress approval checkpoints. This is dangerous because ordinary conversational phrasing can unintentionally disable safeguards, and a malicious user can deliberately phrase prompts to bypass review friction while still staying within seemingly normal language.

Ssd 1

High
Confidence
99% confidence
Finding
Benign conversational phrases are mapped to lower-governance profiles that automatically continue phase transitions and reduce approval-seeking. This is a direct semantic path from ordinary user language to reduced oversight, which is dangerous because it allows safeguards to be disabled without precise, informed intent.

Ssd 4

High
Confidence
94% confidence
Finding
The workflow explicitly establishes "trust signals" and then uses them to stop asking for checkpoints and approval prompts, creating a progressive reduction in oversight. That pattern is dangerous because it normalizes trust-based autonomy escalation and can convert social language into operational permission to bypass human review.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal