ClawHub

Multi-Agent Dev Team

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed software-development automation skill whose file, command, Git, and agent-coordination powers match its stated purpose, though users should run it only in a dedicated project workspace.

Install only if you want agents to create and modify project files, run development commands, install packages, start processes, and make Git commits. Use a dedicated or backed-up project directory, review changes before commits or pushes, and provide GitHub or deployment credentials only for the specific repository or service you want the agents to modify.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Context-Inappropriate Capability

Medium
Confidence
80% confidence
Finding
Granting a project-management agent shell execution creates unnecessary attack surface because prompt injection, user confusion, or workflow drift could cause the PM to run unintended commands. Since shell access can affect the host environment, this violates least privilege for an agent whose primary role is orchestration.

Intent-Code Divergence

Medium
Confidence
77% confidence
Finding
The prompt contains contradictory role guidance: it says the PM is not the implementer while also authorizing tools that enable implementation and direct system changes. That mismatch is dangerous because it weakens operator expectations and makes it easier for the agent to justify taking actions outside its intended role.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The example materially expands the apparent capability of a '2-agent' development skill by describing QA, DevOps, GitHub push, and Vercel deployment. This mismatch can mislead users about what the skill may do, including actions that affect external systems and publish code, increasing the risk of unintended execution or overbroad trust.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The documentation promotes deployment to GitHub and Vercel even though the stated skill purpose is a 2-agent software development workflow, not public release automation. Encouraging external publication without tightly scoped justification can normalize risky behavior such as pushing proprietary code or creating public artifacts without informed consent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README explicitly states that the Dev agent implements code, tests functionality, and commits to Git, but it does not warn users that running the skill may modify local files and repository state. In an agentic development context, omission of this warning can lead users to invoke the skill in sensitive directories or repos without understanding that automated writes and commits may occur.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The quick-start flow tells users to launch the PM agent and 'simply describe what you want to build,' but omits that this may trigger code generation, file creation/modification, testing, and Git operations. Because the skill is specifically designed to automate software development, the lack of an operational warning increases the chance of unintended changes to the user's current working directory or repository.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly states that the Dev agent commits to Git, which is a state-changing action affecting the user's repository history. Because the documentation does not require explicit user approval, define safe commit boundaries, or warn about unintended commits, users may authorize the skill without realizing it can persist code changes and create misleading or unwanted history.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill explicitly instructs the agent to use file write operations and command execution tools such as npm, git, and process management, but it does not include any user-facing warning, consent boundary, or restriction on when these system-changing actions are appropriate. In a development-agent context these capabilities are expected, but without explicit guardrails the skill can modify files, install packages, start processes, or push code in ways a user may not realize or approve.

Missing User Warnings

Low
Confidence
75% confidence
Finding
The skill authorizes file-writing behavior without clearly warning the user that the PM agent may modify workspace or memory files. Lack of disclosure increases the risk of unexpected changes, especially in a multi-agent workflow where users may assume the PM only coordinates.

Missing User Warnings

Low
Confidence
81% confidence
Finding
The document includes command execution capability without warning that commands may have system or repository impact. In a skill intended for orchestration, undisclosed shell access makes accidental or prompted destructive actions more plausible and harder for users to anticipate.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The deployment section describes creating a GitHub repository, pushing code, and deploying to Vercel without any warning that these actions may publish code publicly or transmit project contents to third parties. In a development-agent context, this is especially dangerous because users may assume local-only assistance while the documented behavior implies outward-facing release actions with confidentiality and supply-chain implications.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal