ClawHub

Autonomous Task Runner

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed background task runner, but it can automatically install persistence and run broad user tasks with too little scoping or confirmation.

Install only if you explicitly want a long-running autonomous task queue. Before using it, review and narrow triggers, require confirmation before first-run setup, command execution, file writes outside a chosen workspace, outbound messages, and recurring jobs, and make sure there is a clear way to pause or remove the cron and HEARTBEAT.md entries.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (22)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill advertises itself as operating on a single persistent queue file, but its documented behavior also creates directories, edits HEARTBEAT.md, and registers a recurring cron job. That mismatch hides materially broader persistence and system-modification behavior from users and reviewers, which can lead to unauthorized automation being installed under the guise of a simple queue.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
Automatically editing a global heartbeat configuration and registering a recurring cron job gives the skill persistent execution and influence beyond normal task queuing. In the context of a skill owned by any agent with the full tool suite, this broadens its reach into system-level orchestration and could be abused to maintain ongoing execution without clear user awareness.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The documentation claims idempotent setup, but the described logic does not verify whether the cron job already exists; it only checks queue-file existence and heartbeat text membership. This can cause duplicate recurring jobs, leading to repeated dispatches, race conditions, task duplication, and uncontrolled background activity.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The changelog documents first-run behavior that automatically creates directories and files, appends to HEARTBEAT.md, and registers a cron job, but provides no indication of explicit user consent or runtime confirmation. In a persistent task-runner skill, silent persistence and scheduler registration expand the execution surface beyond the immediate user request and can enable ongoing background actions the user did not clearly authorize.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README describes a persistent background system that can write files, execute commands, send messages, and schedule future actions, but it does not prominently warn users about the ongoing system and data impact of those actions. In a daemon-style skill, lack of explicit consent boundaries increases the risk of users unintentionally authorizing persistent or delayed operations that affect local files, external services, or future system behavior.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documented file-creation capability normalizes writing user files from queued background tasks without clearly warning that those writes are persistent and may occur asynchronously after the original conversation. This can lead to unintended modification of user data or creation of files in sensitive locations if task parsing or path handling is too permissive.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The messaging feature allows queued tasks to transmit content to channels or recipients, yet the README does not warn about privacy, confidentiality, or external data disclosure risks. Because tasks execute asynchronously, users may not realize that sensitive content could later be sent to third-party systems or unintended audiences.

Vague Triggers

High
Confidence
94% confidence
Finding
The INTAKE triggers are broad enough to match ordinary user requests such as 'I need you to' or 'help me with,' causing the skill to activate when users did not intend to enqueue persistent tasks. In this skill, activation is especially risky because first use can silently install persistence mechanisms and start asynchronous execution immediately.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Triggering on any message with two or more action items is ambiguous and likely to catch normal conversational requests. Because this skill persists tasks and dispatches subagents automatically, a false activation can create unintended queued work, background processing, and state changes that outlive the original conversation.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The first-run setup performs persistent local changes and installs background automation, but the skill does not present a clear upfront warning before those actions occur. Lack of disclosure undermines informed consent and increases the chance that users unknowingly authorize persistent execution paths in response to an ordinary request.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The notes describe automatic first-run setup that creates directories, initializes persistent state, and registers heartbeat and backup cron behavior on the first INTAKE invocation, but they do not state any explicit user confirmation or tight trigger constraints. In a persistent task-runner skill, this broad auto-activation increases the risk of unauthorized persistence and unintended system modification from ordinary natural-language interaction.

Natural-Language Policy Violations

Low
Confidence
90% confidence
Finding
The manifest notes indicate that setup actions are forced automatically on first use with 'No manual setup required,' which removes user choice for actions that establish persistence and scheduling. Because this skill is designed to remain active indefinitely and execute asynchronous work, silent setup materially increases the danger of unwanted background execution and persistence.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This section explicitly instructs the agent to create directories and write or edit files on disk, but it does not require any confirmation, path restrictions, or user-facing warning before modifying the filesystem. In a persistent task-runner that accepts natural-language tasks and executes them asynchronously, this increases the risk of unintended or unsafe file changes, including overwriting sensitive files or writing outside an expected workspace.

Missing User Warnings

High
Confidence
97% confidence
Finding
This section authorizes direct command execution and even suggests elevated execution 'if appropriate' without defining hard safety boundaries, approval requirements, or command validation. In the context of a persistent dispatcher that can run queued tasks asynchronously, this creates a strong path to arbitrary command execution, privilege misuse, and system compromise if tasks are malicious, ambiguous, or misclassified.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This section permits sending messages through configured channels or raw API calls via curl without requiring disclosure, confirmation, or destination validation. That creates a risk of unintended outbound data transmission, credential misuse, or exfiltration, especially in an always-on task queue that may process delayed or indirect instructions.

Vague Triggers

High
Confidence
96% confidence
Finding
The trigger list includes broad, everyday phrases such as "I need you to," "help me with," and "can you do," which can cause the skill to activate unintentionally during normal conversation. In this skill, accidental activation is especially risky because activation can enqueue persistent tasks and initiate long-lived automation behavior, including later dispatcher/subagent execution, filesystem writes, and cron/heartbeat integration.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The main description emphasizes continuous operation but does not prominently warn that the skill persists data, modifies HEARTBEAT.md, and may register a recurring cron job on first run. This is dangerous because users may invoke the skill without informed consent, leading to stealthy or unexpected persistence mechanisms that continue operating beyond the immediate interaction.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The positive trigger set includes broad natural-language phrases like 'Do this for me' that commonly appear in ordinary user requests. In a persistent task-runner skill, such generic triggers can cause unintended activation, leading the system to enqueue and asynchronously execute actions the user likely expected to be handled inline instead.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The INTAKE mode description, 'Triggered by user message containing task intent,' is underspecified and leaves too much room for interpretation. In this skill's context, ambiguous routing is risky because activation writes to a persistent queue and may later spawn workers automatically, so false positives have effects beyond a one-turn response.

Vague Triggers

Medium
Confidence
95% confidence
Finding
Using phrases such as 'I need you to' as positive activation examples is overly broad because they are common in normal assistant conversations and do not necessarily imply queuing or asynchronous execution. In a never-finished, persistent task system, this increases the chance of accidental task creation and background execution of user requests without clear consent.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrase 'Help me with these' is conversationally broad and can match ordinary assistance requests that are not intended for persistent queueing. Because this skill stores tasks and executes them asynchronously via subagents, accidental activation can create unwanted durable work items and downstream actions.

Session Persistence

Medium
Category
Rogue Agent
Content
```
I need you to:
1. Research the top 5 open-source LLM frameworks and summarize pros/cons
2. Create a markdown comparison table at ~/reports/llm-frameworks.md
```

Agent responds:
Confidence
84% confidence
Finding
Create a markdown comparison table at ~/reports/llm-frameworks.md ``` Agent responds: ``` 📋 Added 2 tasks to queue: • T-01: Research top 5 open-source LLM frameworks • T-02: Create LLM framework comp

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal