ClawHub

Beddel

Security checks across malware telemetry and agentic risk

Overview

This is a coherent YAML workflow skill, but it gives workflows broad local command, environment-variable, plugin-install, and delegated-agent authority without enough user-control guidance.

Install only if you intend to treat Beddel YAML as executable automation, not just declarative configuration. Review workflows before running them, especially shell_exec, $env, agent-exec, and plugin-install steps; prefer read-only sandboxing, run with a minimal environment, and avoid untrusted or LLM-generated workflows unless you add your own allowlists and confirmation gates. No artifact-backed deception, exfiltration, or destructive payload was found; the Review verdict is for broad, under-scoped authority rather than proven malware.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This workflow's actual behavior is to inspect, install, and verify an OpenClaw plugin on the local system, which is materially different from the stated skill purpose of running or validating YAML AI workflows. That mismatch increases the risk of unauthorized system modification because a user invoking a workflow utility would not reasonably expect package or plugin management side effects.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The workflow uses shell execution to run local system commands for plugin discovery and installation, giving the skill unnecessary host-level capabilities relative to its advertised function. Shell-based package management expands the attack surface and can lead to arbitrary local changes, especially if invoked in automated or privileged agent environments.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The primitive reference exposes a built-in `shell_exec` capability that allows workflows to invoke arbitrary OS commands through the `tool` primitive. In the context of a YAML workflow execution skill, this materially expands the attack surface from declarative orchestration into direct command execution, enabling file access, network pivots, or destructive local actions if untrusted workflow content is run.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The documented `agent-exec` primitive supports `workspace-write` and `danger-full-access` sandbox modes, allowing delegated agents to modify files or operate with minimal isolation. For a workflow runner, this creates a powerful execution path where untrusted YAML can cause autonomous agent actions beyond simple workflow orchestration, including code changes, secret exposure, or destructive system operations.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases include broad activators such as `create a workflow` and `multi-step LLM`, which can match many unrelated user requests and cause this skill to be invoked outside its intended context. Over-broad activation increases the chance that users are funneled into a capability that can execute workflows and shell-backed tooling when they did not explicitly request it.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The workflow can install a plugin without any user-facing disclosure in the manifest or example text, creating a hidden side effect that users may not have consented to. In agent settings, undisclosed installation behavior is dangerous because it can alter the execution environment and establish additional code paths or trust relationships.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation presents shell command execution as a normal primitive capability without any warning that workflows may run external commands on the host. This increases the likelihood that users treat untrusted YAML as safe declarative content, when it may actually trigger system-level actions through `shell_exec`.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation describes external agent execution with writable and dangerous sandbox modes but does not warn that these modes permit filesystem modification and broader host interaction. In a skill marketed for YAML workflow execution, omission of these warnings can mislead users into granting excessive privileges to untrusted or poorly reviewed workflows.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal