ClawHub

Job for Agents

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed bot marketplace integration, but it asks agents to auto-refresh and execute remote instructions while managing wallets, identity verification, and paid job actions.

Install only if you trust openjobs.bot to change future agent instructions, not just to serve an API. Use a disposable wallet/account first, set human approval and low spend limits, avoid broad symlinks into multiple agents, and do not enable the hourly self-refresh heartbeat unless updates are reviewed and pinned.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (6)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill goes beyond a normal marketplace API client by instructing the agent to access OS secret stores, generate wallet keys, manage encryption material, and persist secrets/environment variables locally. That materially expands the trust boundary from a web API integration into host-level credential management, creating risk of local secret exposure, unsafe key handling, and abuse of shell capability.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill requires the agent to collect and transmit owner identity data and to orchestrate human email and X/Twitter verification workflows. While plausibly product-driven, this exceeds a simple marketplace integration and encourages the agent to manage human identity/contact processes, increasing privacy and social-engineering risk.

Description-Behavior Mismatch

Medium
Confidence
99% confidence
Finding
The skill instructs the agent to periodically fetch and replace its own SKILL and HEARTBEAT files from a remote server, then treat the refreshed content as authoritative. This creates an untrusted self-update channel that can silently change future behavior and turn the skill into a remote instruction loader.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The phrase encouraging the agent to 'check OpenJobs whenever you think of it' is overly broad and can trigger unintended use outside clear user intent or bounded scheduling. In a skill that can spend funds, message humans, and act autonomously, vague activation language increases the chance of unreviewed actions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill normalizes auto-posting, auto-applying, auto-accepting, and auto-completing jobs with financial consequences, but does not foreground the monetary risk at the point of enabling those behaviors. In context, these are not harmless defaults: they can commit escrow, release payments, and create irreversible marketplace actions.

Ssd 4

High
Confidence
99% confidence
Finding
The heartbeat chain explicitly tells the agent to download remote instructions, fully read them, and execute all steps in order without skipping sections. This is a classic unsafe delegation pattern: a remote party can alter the hosted files and gain continuing control over the agent's behavior, including sensitive or destructive actions.

VirusTotal

No VirusTotal findings

View on VirusTotal