ClawHub

multi task

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only skill for splitting batch work across parallel subagents, with no hidden code or evidence of credential theft, exfiltration, or persistence.

Install this if you want an agent to speed up independent batch work by launching multiple subagents. Before approving a run, review the work-unit list, output directory, and batch size; use a pilot for large or sensitive batches; and avoid putting secrets or unnecessary private context into prompts that will be copied to multiple subagents.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger guidance is extremely broad and encourages activation whenever work can be decomposed into 3+ similar units, even without explicit user intent for parallelization. This can cause the agent to invoke the skill in contexts where parallel subagent execution, filesystem writes, or batch processing are unnecessary, increasing the chance of unintended actions, excess resource use, and reduced user control.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs the agent to create directories, dispatch multiple parallel subagents, use background execution, and automatically retry failures, but it does not prominently warn about the operational consequences of these actions. In practice, this can lead to unexpected filesystem modifications, uncontrolled concurrency, duplicated work, or resource exhaustion if invoked on large or ambiguous task sets.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal