ClawHub

Task Panner Validator for Agents

Security checks across malware telemetry and agentic risk

Overview

The skill is not overtly malicious, but it overstates safety while allowing auto-approved execution through arbitrary user-provided executors.

Install only if you will keep auto_approve disabled for sensitive workflows, use dry runs, review every loaded plan, and connect it only to tightly allowlisted executors. Do not rely on its built-in validator or rollback as a security boundary.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (13)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The module advertises itself as a 'secure' task management system, but actual execution is delegated to an arbitrary external executor while validation relies on simple substring heuristics. This can create a false sense of safety that encourages operators or downstream agents to trust and run dangerous actions that are not comprehensively constrained or sandboxed.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The code claims rollback support, but rollback_to_checkpoint only logs and returns success without restoring external state. In a system executing file, system, or data operations, users may rely on rollback for safety and recovery when in fact destructive or partial changes remain in place.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The API documentation explicitly exposes an `auto_approve` option and execution workflow, but it does not prominently warn that approval bypasses a human review gate and may enable impactful actions to run without sufficient scrutiny. In an agent skill context, normalizing automatic approval can lead downstream integrators to enable unsafe defaults or build workflows that execute plans affecting files, systems, or external services without explicit user confirmation.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The example executor performs an `api_call` to an endpoint without any warning that step parameters or processed data may be transmitted to external services. In an agent ecosystem, examples strongly influence real integrations; omitting privacy and egress cautions can cause developers to unknowingly send sensitive data off-system or invoke untrusted endpoints.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document advises generating a classic Personal Access Token with full `repo` scope but does not include guidance on least privilege, secure storage, rotation, or avoiding accidental exposure in shells, files, or screenshots. While this is framed as troubleshooting guidance, encouraging broad credentials without handling precautions increases the chance of credential theft or misuse if a user follows it literally.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The force-push example includes only a brief 'Use Carefully!' label, but `git push -f origin main` can overwrite remote history and delete collaborators' work if used improperly. In a setup guide for publishing a repository, this can normalize a destructive recovery step without adequately explaining consequences, backups, or safer alternatives.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README promotes an auto-approve mode that skips manual plan approval, but it does not clearly warn that this removes a key human safety checkpoint before executing potentially dangerous multi-step actions. In an AI-agent task execution context, documenting this convenience feature without strong guardrails can normalize unattended execution of risky operations and increase the chance of harmful or unauthorized actions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly promotes `auto_approve=True` to skip manual approval for automated workflows, without a strong warning that this removes an important safeguard before executing potentially destructive or sensitive steps. In an agent setting, this can normalize unsafe deployment patterns and lead to unintended execution of high-risk actions such as deletion, migration, or API operations without human review.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This example explicitly enables auto-approval and includes an outbound email step, then executes the plan directly without any human confirmation. Even though this is demo code and uses dry_run=True, it normalizes a workflow where potentially externally visible actions can be approved autonomously, which is risky if copied into real integrations.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
- **🔄 Rollback Support**: Checkpoint system for reverting failed operations
- **📝 Plan Persistence**: Save and load plans in JSON format
- **🎨 Integrity Verification**: SHA-256 checksums to prevent tampering
- **⚡ Execution Control**: Dry-run mode, auto-approve, and stop-on-error options
- **📊 Progress Tracking**: Real-time status updates and execution summaries
- **🔍 Detailed Logging**: Comprehensive logging for debugging and auditing
Confidence
84% confidence
Finding
auto-approve

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
1. **Basic Usage** - Simple task planning and execution
2. **Dangerous Operations** - Handling risky operations safely
3. **Save and Load** - Persisting plans to disk
4. **Auto-Approve Mode** - Automated execution
5. **Error Handling** - Dealing with failures gracefully

Run the examples:
Confidence
80% confidence
Finding
Auto-Approve

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
print("EXAMPLE 4: Auto-Approve Mode")
    print("="*60 + "\n")
    
    # Create planner with auto-approve enabled
    planner = TaskPlanner(auto_approve=True)
    
    steps = [
Confidence
95% confidence
Finding
auto-approve

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
print("EXAMPLE 5: Error Handling")
    print("="*60 + "\n")
    
    planner = TaskPlanner(auto_approve=True)
    
    def failing_executor(action: str, parameters: dict):
        """Executor that fails on specific actions"""
Confidence
88% confidence
Finding
auto_approve

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal