ClawHub

Revolution Auto-Evolution

Security checks across malware telemetry and agentic risk

Overview

This skill is transparent about autonomous multi-agent work, but it enables recurring agent-driven file and skill changes without enough scoping or approval guardrails.

Install only if you intentionally want autonomous agents to work through local task files. Use an isolated workspace, keep version-control backups, review every task file and generated prompt before enabling cron, and require manual approval for destructive, credentialed, publishing, or production-impacting actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly promotes autonomous execution ('build things while you sleep') and automatic packaging, but it does not warn users that the skill can make ongoing changes to workspace files, tasks, and generated outputs without interactive confirmation. In a multi-agent orchestration skill, that omission materially increases the chance of unsafe deployment, misuse, or unintended data/code modifications by encouraging unattended operation.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The setup section instructs users to enable heartbeat/cron-based autonomous processing without any warning, approval gate, or restriction guidance. Because this creates recurring unattended execution of coordinator and spawned sub-agents, it raises the risk of repeated unsafe actions, runaway task processing, or persistent modification of workspace state if tasks or prompts are malformed or adversarial.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The description and 'Use when' text are broad enough to match generic autonomous-task requests, which can cause the skill to activate outside tightly bounded scenarios. Because this skill is a meta-orchestrator that delegates execution to sub-agents, overbroad triggering increases the chance of unintended autonomous actions, scope creep, or application to sensitive tasks without explicit user confirmation.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The markdown instructs users to run coordinator, monitor, cron, and packaging flows that can modify workspace files, task state, and scheduling configuration, but it does not prominently warn that these actions are state-changing. In a self-iterating multi-agent system, lack of explicit modification warnings makes accidental persistence, file changes, and recurring autonomous execution significantly more likely.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The package description advertises a 'fully automatic multi-agent evolution system' that can automatically iterate to complete complex tasks, but it does not define user-consent boundaries, execution limits, or safety constraints. In an agent-orchestration skill, overly broad autonomy claims can normalize unsafe task execution scope and increase the chance that downstream components perform actions without clear authorization or review gates.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script permanently deletes task files from the active directory immediately after writing an archive copy, with no confirmation, dry-run mode, rollback, or verification that archival succeeded durably. In an autonomous multi-agent workflow, this increases the risk of unintended data loss, tampering cover-up, or premature removal of evidence/state if the script processes attacker-influenced task files or misconfigured paths.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal