ClawHub

Agora

Security checks across malware telemetry and agentic risk

Overview

The Agora skill is coherent and product-focused, but it needs Review because it can install tools, change Agora project state, and write sensitive credentials locally with limited per-action confirmation.

Install only if you are comfortable with an agent operating the Agora CLI and making local/project changes. Before using quickstarts, require confirmation before global installs, project creation or selection, feature enablement, --with-secrets export, and .env.local writes; keep generated env files out of source control; redact App Certificates from logs or shared output; and review any recording, screen sharing, transcript, microphone, or camera flows for consent and retention requirements.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (17)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This instruction conflicts with the skill's own manifest rule to use only local reference files and not web-search external docs. In an agentic environment, telling the agent to fetch current external docs can override trusted local constraints, expand the attack surface to untrusted remote content, and cause the agent to incorporate adversarial or drifting specifications into generated code.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The guardrail explicitly instructs fetching current official docs/OpenAPI, which directly contradicts the manifest's reference-only policy. Because all skill text is effectively prompt material for an agent, this can induce the agent to access external content and trust remote instructions or schema details that were never security-reviewed as part of the skill.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
This workflow step again pushes the agent to consult current official docs outside the permitted reference set. Repeated conflicting instructions increase the chance that the agent will disregard the safer manifest boundary and act on unreviewed external material, leading to prompt injection, inconsistent output, or policy bypass.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The file directs the agent to fetch live external provider documentation even though the skill metadata explicitly forbids web search and requires use of only local skill reference files. This creates an instruction-conflict that can cause policy bypass, inconsistent behavior, and ingestion of untrusted external content during a sensitive setup flow.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The quickstart says that while unresolved the agent should read only this file and README, but later requires consulting additional CLI reference files. This contradiction can cause the agent to ignore its own guardrails or select the wrong instruction source, weakening deterministic behavior during setup.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The README explicitly instructs users to fetch platform-specific documentation from external Agora URLs, which conflicts with the skill's stated rule to use only bundled reference files and avoid external docs lookup. This creates an instruction-integrity problem: an agent following the README could be induced to leave the trusted skill boundary, increasing the risk of prompt/instruction bypass, inconsistent guidance, or reliance on mutable external content.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger conditions are very broad and include generic phrases like 'I want to build' and 'help me set up', which can match many unrelated requests. In an agentic system, this can cause unintended invocation of the Agora skill, leading to misrouting, irrelevant guidance, and possible exposure of internal routing or product-selection behavior outside its intended scope.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The file positions itself as the 'first entry point' for vague or multi-product requests and instructs the agent not to 'second-guess' prior routing, but it does not define strong boundaries for what counts as an Agora-related vague request. That ambiguity increases the chance that the skill processes requests it should reject or defer, amplifying incorrect routing decisions made upstream.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guidance recommends writing project environment data into the repository without any warning to review for secrets, avoid committing generated files, or use local-only paths. In a CLI/integration skill focused on app setup and automation, users may treat this as safe default practice and accidentally commit credentials, tokens, or other sensitive configuration into version control.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation explicitly points users to `agora project show` and especially `agora project show --json` to inspect sensitive values such as App Certificate and sign key, but it does not warn that these secrets may be exposed in terminal history, logs, screen shares, or pasted output. In a developer-assistance skill, surfacing credential-revealing commands without guardrails increases the chance of accidental secret disclosure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The `agora project env`, `--json`, and especially `env write` workflow can export or persist sensitive environment values to disk, yet the file provides no warning about file permissions, accidental commits, or leakage through shell history and tooling. Because this skill is meant to guide integration work, users may follow these steps mechanically and create plaintext secret exposure in local repos or shared development environments.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README instructs users how to enable and operate server-side cloud recording of RTC audio/video but omits any warning about privacy, consent, retention, or legal compliance. In a developer-facing integration skill, this can lead implementers to deploy recording features without notifying users or obtaining required consent, creating real-world privacy and regulatory risk.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documentation instructs developers to create and publish a microphone audio track and to handle transcripts/messages, but it does not mention obtaining informed user consent, providing a recording/transcript notice, or minimizing collection. In a real-time voice AI context, this can lead integrators to capture and process live audio and speech-derived text without adequate privacy disclosures or controls, creating privacy and compliance risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The instructions tell the agent to export App ID and App Certificate with secrets and automatically write them into `.env.local` without an explicit consent, masking, storage-handling warning, or least-privilege guidance. Because App Certificate is a high-value secret used for token generation, silent extraction and persistence materially increases the risk of secret exposure through logs, workspace access, or accidental commits.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The sample shows how to initialize RTC, join a channel, and enable camera/microphone features without any explicit privacy UX guidance or warning that audio/video may be transmitted once the flow is invoked. In a real-time communications skill, omission of consent and disclosure guidance can lead developers to ship integrations that capture or transmit user media without sufficiently clear user awareness.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The example explicitly enables and publishes microphone and camera tracks by default without any adjacent warning about obtaining informed user consent or clearly signaling that audio/video will be transmitted once the channel is joined. In a real-time communications skill, this can lead developers to ship behavior that surprises users and results in unintended capture or disclosure of sensitive audio/video.

Missing User Warnings

Medium
Confidence
77% confidence
Finding
The screen-sharing section provides a complete implementation path, including optional system audio capture, but omits an explicit warning that the selected screen contents and audio will be transmitted to other participants. In a real-time communications integration guide, this omission increases the risk that developers ship UX flows that start sharing without adequate user understanding, leading to accidental disclosure of sensitive information.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal