ClawHub

Agent Defender

Security checks across malware telemetry and agentic risk

Overview

The skill is a security scanner, but it also includes under-scoped autonomous research, rule-sync, backup/restore, and cross-project execution tools that users should review carefully before installing.

Install only if you explicitly want an experimental security tool with autonomous rule-development and cross-project sync features. Do not start defenderctl.sh or the research daemon unless you trust the sibling projects it reads from, have reviewed the rules it will import, and are comfortable with repeated background execution and local rule modification. Treat its runtime-protection claims as limited until independently tested.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (37)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if test_runner.exists():
            try:
                result = subprocess.run(
                    ['python3', str(test_runner)],
                    cwd=str(EXPERT_MODE),
                    capture_output=True,
Confidence
87% confidence
Finding
result = subprocess.run( ['python3', str(test_runner)], cwd=str(EXPERT_MODE), capture_output=True, text=

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if perf_optimizer.exists():
            try:
                result = subprocess.run(
                    ['python3', str(perf_optimizer)],
                    cwd=str(EXPERT_MODE),
                    capture_output=True,
Confidence
87% confidence
Finding
result = subprocess.run( ['python3', str(perf_optimizer)], cwd=str(EXPERT_MODE), capture_output=True, te

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The document explicitly states that agent-defender runs an automatic continuous research and rule-generation loop, which expands behavior beyond the declared defensive scanning/protection/audit scope. Scope drift in a security skill is dangerous because it can justify unattended background activity, code or rule changes, and interactions with external systems that users did not clearly authorize.

Intent-Code Divergence

Medium
Confidence
85% confidence
Finding
The document presents inconsistent responsibility boundaries: one section says agent-defender only executes protection, while other sections describe threat-intel retrieval, sample exploration, and rule generation. This inconsistency is risky because it can conceal or normalize broader capabilities, making reviewers and users underestimate what the skill may do autonomously.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The document explicitly describes a daemonized autonomous R&D system and directs operators to start it, which materially expands the skill’s effective behavior beyond the manifest’s stated scope of scanning, protection, DLP, and auditing. In a security tool, undisclosed autonomous background activity increases operational and trust risk because users may enable persistent processes or self-modifying workflows they did not consent to or evaluate.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The report documents synchronization from an external source ('灵顺 V5') and rule-integration workflows that are not declared in the manifest, indicating undisclosed supply-chain and behavior-expansion risk. For a defensive scanning skill, importing external rules or content can change detection logic, introduce unreviewed behavior, or create a path for poisoned updates if the source and validation controls are not transparent.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The guide documents agent-defender as an automated R&D/orchestration system, which materially exceeds the declared scope of a security-defense platform. Scope expansion is dangerous because users may grant broader trust, permissions, or deployment authority than intended, enabling autonomous code, rule, or workflow changes outside expected security operations.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
This section describes end-to-end automated development and publishing workflows, including progression from requirement to release, which is significantly broader than the stated defensive purpose. If relied on as documented, the skill could be used to autonomously create and ship changes without adequate review, increasing risk of unsafe releases, supply-chain abuse, or unintended modifications.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The guide promotes broad multi-skill orchestration for concurrent development across several security-related skills, which extends beyond a narrow defense function into general automation and coordination. In a security skill context, this increases blast radius because one trusted skill can influence multiple repositories or workflows, amplifying mistakes or abuse.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Automated task decomposition and execution aimed at improving product metrics introduces generalized autonomous planning and action-taking not justified by the declared security-defense scope. Such capability can drive unreviewed modifications, invoke arbitrary scripts, or optimize toward metrics in ways that bypass safety, quality, or operational controls.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The assessment document describes operational capabilities such as continuous research automation, daemon control, backup management, and rule synchronization that materially exceed a narrow 'scan skill / start protection / DLP / audit' defensive scope. Even though this is documentation rather than executable code, normalizing these extra-system behaviors increases the chance the skill will be granted broader filesystem, process, and synchronization access than necessary, expanding attack surface.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
Documenting backup creation, archive retention, and one-click restore introduces data-changing and data-recovery operations unrelated to pure security analysis. In a skill context, restore capability is especially sensitive because it can overwrite project state, reintroduce stale or malicious files, or expose archived data if the backup location is insecure.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
Cross-device synchronization via Syncthing is not inherently malicious, but it is outside the minimum scope expected for a defensive scanning skill and can move rule sets, logs, backups, or scanned artifacts across trust boundaries. That creates risk of unintended data disclosure, propagation of poisoned rules/configuration, and persistence beyond the local environment.

Context-Inappropriate Capability

Low
Confidence
80% confidence
Finding
The document lists unrelated local project paths and backup locations beyond the immediate skill directory, signaling expected access to other workspace content. In a defensive skill, references to external project locations increase concern because they encourage broader filesystem reach than necessary and may expose sensitive neighboring repositories or user data.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The plan directs use of external orchestration tooling and automation workflows outside the core stated purpose of a defensive scanning skill, including cross-workspace scripts and automated task runners. In a skill context, this expands operational scope and trust boundaries, increasing the chance of unintended code execution, supply-chain exposure, or misuse of unrelated local tooling.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The restore path can overwrite live `rules/` and `integrated_rules/` state from an archive without validating archive contents, target paths, or integrity. In a security product, replacing active rule sets changes defensive behavior and could disable detections or roll back protections, making this more sensitive than an ordinary backup utility.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script’s actual behavior centers on starting, stopping, and monitoring a research daemon plus syncing rules, which does not match the advertised security-defense capabilities in the skill metadata. In a security tool context, this capability mismatch is dangerous because users may trust it to perform scanning or protection that it never actually provides, creating a false sense of security and leaving systems unprotected.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The inline messaging and help output brand the script as an 'agent-defender' management utility, but all exposed commands operate a research workflow and rule synchronization process rather than security defense operations. In security-sensitive environments, misleading operator documentation can cause administrators to deploy the tool in place of real protection, resulting in monitoring gaps and operational risk.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The script is hard-wired to read rules from multiple sibling skills and then write synthesized outputs into the agent-defender skill directory. That cross-skill read/write behavior expands trust boundaries and can let untrusted or less-reviewed rule content from other skills influence defender outputs, creating a supply-chain style integrity risk rather than a purely local integration task.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The deduplication step is invoked before integration populates self.integrated_rules, so it effectively does nothing despite the code comments suggesting protection against duplicate rules. In this security context, duplicate or colliding rule IDs can cause inconsistent indexing, overwrite-like behavior in downstream consumers, or inflated rule counts that weaken confidence in defender outputs.

Description-Behavior Mismatch

High
Confidence
92% confidence
Finding
The file implements an autonomous self-directed R&D loop that continuously analyzes inputs, generates rules, runs tests, and propagates changes every five minutes. That behavior materially exceeds the declared defensive functions and increases attack surface because it enables unattended code-adjacent change management and persistent operation without clear authorization boundaries or human review.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
The skill executes external Python programs for tests and optimization, which gives the daemon a generalized code-execution capability unrelated to the minimum required behavior of a defensive scanner/protector. In context, this is more dangerous because the process is designed to run repeatedly as a daemon, so any compromise of those scripts can be triggered automatically and persistently.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The daemon copies generated rules into a sibling agent-defender project, giving it cross-project write capability beyond the expected scope of a scanner/protection skill. If abused or fed malicious rule content, this can tamper with another component's behavior and create a supply-chain style propagation path inside the local workspace.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The module and CLI claim to provide runtime protection, but the --start path only sleeps and prints status markers without collecting events, invoking check_event, or enforcing should_block. This creates a false sense of security: operators may believe active monitoring and blocking are in place when no protection is actually occurring.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The file header and CLI messaging describe this as a real-time behavior protection module, but the implementation does not perform runtime observation or blocking. Misleading security documentation is dangerous because defenders may rely on nonexistent controls during incident response or deployment.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal