ClawHub

Auto Revolution

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly a disclosed local workflow helper, but it can reset task state, delete locks, and steer work back into automatic agent processing with weaker safeguards than its supervised-only framing suggests.

Install only in a sandboxed project workspace and run these scripts manually on trusted task files. Review task IDs and task JSON before use, avoid relying on the generated automatic sessions_spawn or heartbeat instructions unless you have separately reviewed that agent workflow, and be especially careful with force-unlock because it can delete locks and requeue work.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Tp4

High
Category
MCP Tool Poisoning
Confidence
81% confidence
Finding
The skill markets itself as a minimal, safe, human-supervised publishing variant, yet the documented behavior includes task activation automation, lock maintenance, unblock/force-unlock controls, and prompt generation for broader reviewer/executor workflows. This mismatch can cause operators to trust and deploy the skill in higher-risk contexts than intended, increasing the chance of unsafe automation or workflow abuse through social engineering and misconfiguration.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The script explicitly states that the main agent heartbeat will automatically detect the reset task and continue review, which re-enables autonomous workflow progression after a force-unlock. That conflicts with the skill metadata claim that this package avoids autonomous background execution, and it can cause unintended processing of tasks after an operator performs what appears to be a recovery action.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The comment says only blocked or reviewing tasks are reset, but the code also resets executing tasks to pending. In a human-supervised workflow, silently converting actively executing work back into the queue can duplicate execution, lose operator understanding of task state, and bypass expected safeguards around interruption handling.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The embedded Node.js snippet records previous_status using '$oldStatus', but oldStatus is a JavaScript variable, not a shell variable, so the stored value will be empty or incorrect. This corrupts task audit history and can misrepresent workflow state transitions, which is security-relevant in supervised approval pipelines because operators may rely on accurate provenance and recovery logs.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This script deletes the lock directory and rewrites task state immediately, with no confirmation, dry-run mode, or secondary validation that the lock is truly stale. In a concurrent workflow system, that can corrupt coordination, unlock tasks still in use, and trigger unintended follow-on processing or duplicate handling.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal