ClawHub

Agent Coordination

Security checks across malware telemetry and agentic risk

Overview

This looks like a real agent-coordination skill, but it gives broad persistent authority and includes an unsafe hard-coded local autonomy exception that needs review before use.

Install only if you intend the assistant to manage VibeKanban tasks and dispatch coding agents. Before using it, remove or override the hard-coded full-autonomy local path, require confirmation before launching workspace sessions or deleting tasks, and treat failed CI logs as potentially sensitive.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
71% confidence
Finding
The skill documents shell-capable behavior such as running `git status` and CI-monitoring scripts, but it declares no permissions or guardrails for those actions. This creates a trust and policy gap: operators may invoke shell-capable behavior without explicit consent, review boundaries, or least-privilege controls.

Tp4

High
Category
MCP Tool Poisoning
Confidence
84% confidence
Finding
The declared purpose is agent coordination, but the skill also instructs direct operational actions around CI/GitHub monitoring that go beyond pure orchestration. This mismatch can cause unexpected tool use and privilege exposure, especially if users or systems assume the skill is limited to lightweight planning and delegation.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The documentation grants an exception for 'Full autonomy' in a specific local repository, directly contradicting the stated coordination-only role. A hardcoded local path with autonomous execution authority can enable unreviewed code changes or destructive actions on a developer machine without clear user re-authorization.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The skill states the coordinator must not write or edit code, then immediately creates an exception allowing autonomous execution in a local repository. This inconsistency undermines operator expectations and safety review, making it easier for the skill to transition from advisory behavior into direct modification of local code.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The trigger list contains many broad conversational phrases such as 'you're my cos' and 'be my cos', which increases the chance of accidental or contextually inappropriate activation. Unintended activation matters here because the skill changes behavior globally toward delegation and task creation, potentially altering how subsequent requests are handled.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The persistent CoS mode is defined to last for the entire conversation and says to never revert unless explicitly told, but it does not define clear boundaries, expiration, or safe deactivation. Persistent state changes can cause the agent to keep delegating or invoking tools in later turns where the user no longer expects that behavior.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Permitting autonomous actions in a specific local filesystem path without any warning or consent flow is risky because local repositories may contain sensitive data, credentials, or uncommitted work. The instruction normalizes direct action in a user environment without surfacing data loss, integrity, or privacy implications.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The workflow instructs the agent to create tasks and immediately start workspace sessions, but it does not require explicit user confirmation or warn that these actions can change project state and dispatch autonomous work. In an agent-coordination skill, this increases the chance of unintended task creation, agent launches, or work being initiated based on ambiguous or incomplete user requests.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The API reference documents a destructive delete_task operation with a direct usage example but provides no warning, confirmation guidance, or recommendations for safer alternatives such as archival or status changes. In an agent-coordination skill, this is more dangerous because autonomous or semi-autonomous agents may execute documented actions literally, increasing the chance of accidental task loss, workflow disruption, or deletion of audit/history records.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
When CI fails, the script automatically fetches and prints failed-job logs to stdout. CI logs commonly contain stack traces, environment-derived values, internal paths, service URLs, and occasionally secrets that were improperly redacted upstream; blindly echoing them increases the chance of accidental disclosure to terminals, shared sessions, chat transcripts, or higher-level agent outputs.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The activation text contains very broad trigger phrases such as 'act as cos', 'be my cos', and 'create tasks for agents', which could match ordinary conversation and cause unintended skill activation. In an agent-orchestration skill, accidental activation is more dangerous than usual because it can shift the assistant into persistent delegation mode and potentially lead to external tool use or task dispatch the user did not explicitly intend.

VirusTotal

53/53 vendors flagged this skill as clean.

View on VirusTotal