ClawHub

Agent Loops

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate multi-agent workflow runner, but live mode gives nested agents broad code-changing and publishing authority while saving full prompts and outputs to disk.

Install only if you intentionally want a powerful multi-agent runner. Use dry-run first, run on a clean branch or sandbox, avoid secrets in prompts, review or delete saved run logs, verify the Claude and agent-swarm configuration it will inherit, and require explicit human approval before running `skill_publish` with `--apply`.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (13)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
start = time.time()
    try:
        result = subprocess.run(
            cmd,
            capture_output=True, text=True,
            timeout=timeout_sec,
Confidence
92% confidence
Finding
result = subprocess.run( cmd, capture_output=True, text=True, timeout=timeout_sec, cwd=cwd or str(OPENCLAW_HOME), env={**os.environ,

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill clearly advertises shell execution, file read/write, environment access, and the ability to run multi-agent workflows, yet no permissions are declared. That mismatch undermines least-privilege controls and can cause users or the platform to underestimate the real execution surface, especially because `--apply` performs real actions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README advertises live multi-agent execution, subprocess spawning via `claude -p`, output chaining, and persistence of run artifacts to `runs/`, but it does not clearly warn users that `--apply` may execute actions, generate or modify files indirectly, and store sensitive prompts, code, or secrets on disk. In a workflow-orchestration skill, this omission is more dangerous because users are encouraged to run autonomous multi-step tasks over arbitrary project input, increasing the likelihood that confidential data or unsafe agent-generated actions are persisted without informed consent.

Vague Triggers

High
Confidence
94% confidence
Finding
The skill description is framed so broadly that it could match a large fraction of normal software-related requests, causing the orchestrator to activate in situations where a narrower or safer skill would be more appropriate. Because this skill can spawn multi-agent workflows with code-writing and shell capabilities, over-triggering materially increases the chance of unintended execution and unsafe delegation.

Vague Triggers

High
Confidence
92% confidence
Finding
The trigger examples are broad and conversational, overlapping with everyday requests like building, debugging, reviewing, researching, and refactoring. In context, this is dangerous because the skill is not merely advisory; it orchestrates real chained agent execution, so ambiguous invocation guidance can lead to unnecessary or premature tool use.

Vague Triggers

High
Confidence
97% confidence
Finding
The workflow-selection table uses highly generic phrases such as 'build me an app' and 'this isn't working,' which are common in ordinary conversation and can collide with unrelated requests. Since selection from this table leads directly to execution-oriented workflows, ambiguous matching increases the risk of launching powerful automation on underspecified or unintended tasks.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation instructs users to use `--apply` to 'actually spawn agents' but does not clearly warn that this can perform real shell operations, read/write files, and propagate user input through multiple agents. That omission weakens informed consent and makes accidental real-world actions more likely, particularly for users who may assume examples are illustrative rather than operational.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The examples normalize `--apply` for implementation, debugging, and review tasks without cautioning that these flows may alter the codebase or otherwise act on the environment. In a skill dedicated to software delivery workflows, such examples materially increase the chance that users execute impactful automation before validating scope, permissions, or safety constraints.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The manifest description contains very broad trigger phrases such as building software, fixing bugs, reviewing code, researching topics, and publishing skills. In an agent-routing system, this can cause the skill to activate for a large portion of ordinary user requests, increasing the chance of unintended invocation, privilege overreach, and unsafe delegation into powerful multi-step workflows.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The runner persistently stores full user prompts and raw agent outputs to disk without consent, minimization, encryption, or redaction. In this skill's context, those prompts and outputs may include source code, credentials, internal architecture, bug details, or other sensitive business data, making local retention a meaningful privacy and security risk.

Vague Triggers

Medium
Confidence
92% confidence
Finding
This workflow is explicitly designed to publish a skill to an external destination, but the description and flow do not constrain when publishing may occur or require an explicit user approval gate. In an agent-orchestrated environment, underspecified activation scope increases the chance that a routine request to test, review, or improve a skill could cascade into an unintended release action.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The publish step performs an external release operation to ClawHub but provides no user-facing warning, confirmation, or checkpoint before invoking the publisher. Because the step is only marked optional rather than gated, an agent may still execute it automatically, which can cause unauthorized publication of code, metadata, or sensitive content.

Ssd 3

Medium
Confidence
98% confidence
Finding
This code records raw plain-language inputs and outputs from multi-agent workflows, which can capture sensitive proprietary or personal information verbatim for later exposure. Because the skill is designed for software development and debugging, the captured content is especially likely to contain secrets, stack traces, internal code, and incident details.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal