ClawHub

n8n

Security checks across malware telemetry and agentic risk

Overview

No malware is evident, but the package makes broad always-on self-improving agent claims that are inconsistent with its mostly simulated contents and weakly scoped controls.

Review carefully before installing. Treat it as a Review-bucket package, not confirmed malware: static scan and VirusTotal are clean, but the artifacts overstate production capabilities and under-document controls for always-on agents and self-modification. Install only in a sandbox, verify the publisher and actual source implementation, pin dependencies yourself, and do not provide API keys or enable persistent/auto-evolution behavior unless you have explicit stop, audit, and rollback controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (7)

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The finding indicates the skill's declared purpose does not match its actual behavior: it performs installation and filesystem setup actions, references external services, and only simulates the advertised security and self-improvement capabilities. In an agent skill context, hidden setup actions and overstated security claims are dangerous because users may grant trust and permissions based on the description while the skill modifies the environment or pulls dependencies unexpectedly.

Intent-Code Divergence

Low
Confidence
92% confidence
Finding
The example claims agents terminate after task completion, but each Specialist instance is appended to the class-level _registry and never removed. In long-running or repeatedly executed contexts, this creates stale object retention, inaccurate lifecycle semantics, and potential memory growth, even though this standalone demo does not expose direct code execution or privilege escalation risk.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The file presents a simulated demo as if it were an operational self-improvement system, using authoritative language like 'the skill will improve itself while you sleep' while only printing messages and generating random outcomes. In an agent framework, this can mislead users into believing autonomous research, testing, and safety validation are actually occurring, which may cause unsafe trust, incorrect deployment decisions, or skipped human review based on false assurances.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README explicitly promotes self-improving behavior, dynamic agent spawning, and access to broad external tool/protocol surfaces such as MCP and A2A, but it does not clearly warn users about the resulting risks to systems, data, or connected services. In security-sensitive agent software, marketing these capabilities without prominent constraints, approval boundaries, or deployment cautions can mislead operators into enabling powerful autonomous behavior in unsafe environments.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly markets and operationalizes self-improvement that scans, tests, proposes updates, and evolves itself, but it does not provide a clear warning, approval boundary, or change-control mechanism. In an agent framework context, autonomous modification of behavior or dependencies can introduce unsafe code paths, privilege expansion, or silent drift from the user's original security expectations.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The quick-start instructions encourage immediate activation with `Council().activate()` and say 'Done' without warning that this may initiate persistent or continuous operation. Users may unknowingly start a long-running process with ongoing network, resource, billing, or data-handling effects, which is especially risky for an agent system advertised as always-on and self-improving.

Missing User Warnings

High
Confidence
98% confidence
Finding
The advanced example enables overnight auto-evolution through `enable_auto_evolution(...)` with no approval gate, warning, or discussion of what can be changed. This is dangerous because it normalizes unattended autonomous modification in a production-facing framework, increasing the risk of unauthorized changes, prompt drift, dependency compromise, and unreviewed actions occurring while operators are absent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal