ClawHub

Flow

Security checks across malware telemetry and agentic risk

Overview

Flow appears to be a legitimate workflow builder, but it automatically creates and registers executable Python workflows from broad user input without sufficiently validating or rescanning the generated code.

Install only in an isolated environment, review files created under the configured flows directory and skill_registry.json before running or reusing them, and treat the displayed PASSED status as a component-scan result rather than proof that the generated workflow is safe. Consider disabling automatic registry updates and pinning dependencies before production use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (16)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill advertises and appears to rely on sensitive capabilities including file read/write, network access, and shell execution, but it does not declare any permissions or constraints in its manifest. For an orchestrator that composes and registers executable workflows from natural-language input, this creates a significant trust and review gap: downstream execution could access local files, invoke commands, or reach external systems without explicit user awareness or policy enforcement.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The README describes very broad natural-language activation and workflow generation behavior, which can encourage users to submit underspecified requests that trigger unintended skill discovery, composition, or execution paths. In an orchestrator that automatically selects, scans, and composes other skills, ambiguous activation materially increases the risk of unsafe or over-privileged workflows being invoked despite the presence of security scanning.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README emphasizes composition and registration of new FLOW skills but does not clearly warn that the tool can persist generated skills and other outputs to disk. That omission can mislead users about the side effects of using the skill, reducing informed consent and making it easier for a crafted request to cause unexpected file creation, artifact persistence, or accumulation of unreviewed generated skills.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The skill can be invoked from broad natural-language requests like building automations or web scrapers, without clear trigger boundaries, safety preconditions, or operation limits. In the context of a workflow compiler/orchestrator, vague activation increases the chance that unsafe requests are interpreted as authorization to compose powerful file, network, or shell-capable workflows, leading to overbroad or unintended actions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The template path is more dangerous because arbitrary template content is inserted verbatim into a Python source file with no validation, sandboxing, or trust boundary enforcement. In an agent skill orchestrator, untrusted template input can become executable code later, enabling code injection and persistence if those generated files are subsequently imported or run.

Unpinned Dependencies

Low
Category
Supply Chain
Content
# Flow - Intelligent Skill Orchestrator Dependencies

# Core dependencies
streamlit>=1.28.0
pandas>=2.0.0

# Natural Language Processing
Confidence
92% confidence
Finding
streamlit>=1.28.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
# Core dependencies
streamlit>=1.28.0
pandas>=2.0.0

# Natural Language Processing
nltk>=3.8.0
Confidence
91% confidence
Finding
pandas>=2.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
pandas>=2.0.0

# Natural Language Processing
nltk>=3.8.0
spacy>=3.6.0

# Security scanning
Confidence
94% confidence
Finding
nltk>=3.8.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
# Natural Language Processing
nltk>=3.8.0
spacy>=3.6.0

# Security scanning
bandit>=1.7.5
Confidence
90% confidence
Finding
spacy>=3.6.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
spacy>=3.6.0

# Security scanning
bandit>=1.7.5
safety>=2.3.0

# Code analysis
Confidence
88% confidence
Finding
bandit>=1.7.5

Unpinned Dependencies

Low
Category
Supply Chain
Content
# Security scanning
bandit>=1.7.5
safety>=2.3.0

# Code analysis
ast-grep>=0.12.0
Confidence
90% confidence
Finding
safety>=2.3.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
safety>=2.3.0

# Code analysis
ast-grep>=0.12.0
pylint>=2.17.0
Confidence
87% confidence
Finding
ast-grep>=0.12.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
# Code analysis
ast-grep>=0.12.0
pylint>=2.17.0
Confidence
87% confidence
Finding
pylint>=2.17.0

Known Vulnerable Dependency: streamlit — 8 advisory(ies): CVE-2026-33682 (Unauthenticated SSRF Vulnerability in Streamlit on Windows (NTLM Credential Expo); GHSA-8qw9-gf7w-42x5 (Minor fix to previous patch for CVE-2022-35918); CVE-2023-27494 (Streamlit publishes previously-patched Cross-site Scripting vulnerability) +5 more

High
Category
Supply Chain
Confidence
89% confidence
Finding
streamlit

Known Vulnerable Dependency: nltk — 10 advisory(ies): CVE-2021-3828 (NLTK Vulnerable to REDoS); CVE-2026-33236 (NLTK has a Downloader Path Traversal Vulnerability (AFO) - Arbitrary File Overwr); CVE-2026-0847 (NLTK has a Path Traversal issue) +7 more

Critical
Category
Supply Chain
Confidence
95% confidence
Finding
nltk

Known Vulnerable Dependency: safety — 2 advisory(ies): CVE-2020-5252 (Malicious package may avoid detection in python auditing); CVE-2020-5252 (The command-line "safety" package for Python has a potential security issue. The)

High
Category
Supply Chain
Confidence
84% confidence
Finding
safety

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal