ClawHub

Plan Flow

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate development workflow skill, but it gives the agent broad automatic code-changing authority and keeps a silent persistent project ledger without enough user control.

Install only if you are comfortable with an agent creating and modifying repository files, using git and authenticated gh, fetching API docs from URLs you provide, and maintaining a local flow/ledger.md memory file. Review generated flow/ files before committing, avoid storing secrets or sensitive business details in the ledger or .plan-flow.yml, and avoid or disable autopilot unless you explicitly want automatic workflow chaining.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly says it will 'silently' capture mistakes, corrections, and project-specific knowledge across sessions in a persistent ledger. That creates a privacy and data-governance risk because users are not given clear consent, retention, or scoping controls, and the ledger may accumulate sensitive project details over time.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The workflow instructs the agent to run discovery, planning, execution, review, and archiving automatically 'without asking permission,' and to avoid asking before proceeding. In context, these steps can create, modify, and move repository files, so the lack of explicit user confirmation increases the risk of unintended changes, destructive actions, and tampering with project artifacts.

Missing User Warnings

Low
Confidence
93% confidence
Finding
The skill explicitly states it fetches API documentation from a user-provided URL and writes an output file, but it does not disclose those side effects to the user. This creates a transparency and consent issue: users may unintentionally trigger outbound network access or filesystem changes, which is especially relevant in environments with sensitive network boundaries or strict workspace policies.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The skill explicitly states it will create a file in the repository, but it does not warn the user that invoking the skill performs a write operation. This can lead to unexpected repository modifications, accidental inclusion of generated artifacts, or misuse in contexts where users expect read-only analysis rather than state-changing behavior.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill is explicitly designed to modify repository contents by writing implementation files and updating the plan file, but it does not clearly warn users about those side effects before invocation. That can lead to unintended file changes, especially when used on the wrong plan file or in a sensitive repository, reducing informed consent and increasing the chance of accidental destructive or hard-to-review edits.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly says the ledger operates silently and includes recording 'user preferences beyond documented rules' into a persistent project journal. That creates a privacy and data-governance risk because users are not told what preference data may be stored, how long it will persist, or how sensitive personal or behavioral information will be excluded.

Missing User Warnings

Low
Confidence
92% confidence
Finding
The skill explicitly states it will create a `flow/` directory structure and generate configuration, but it does not present this as a clear safety warning or call out that invoking `/setup` modifies the target repository. In an agent context, users may interpret setup as read-only analysis, so insufficient disclosure can lead to unintended filesystem changes, noisy commits, or accidental modification of the wrong path.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal