ClawHub

Agent Communication Protocol

Security checks across malware telemetry and agentic risk

Overview

This ACP skill fits its messaging purpose, but it installs live external code, enables broad remote-agent interaction, and exposes/persists sensitive data in ways users should review first.

Install only if you trust the ACP plugin repository and are comfortable joining the ACP network. Before running setup, inspect or pin the plugin revision, avoid sharing or printing seedPassword, replace allowFrom ["*"] with trusted AIDs where possible, set ownerAid only to an identity you control, and review agent.md plus local contact/group history for sensitive information.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (10)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The instructions require generating a seed password and then explicitly reporting it back to the user in the completion template. Secrets should be created and stored securely, not echoed into chat/output where they may be logged, retained, or exposed to unintended parties. In this skill context, credential generation may be necessary for ACP setup, but disclosure of the secret is unnecessarily dangerous.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The skill directs cloning code from external repositories and running npm install, which executes a software supply-chain action with potential remote code execution via install scripts or compromised dependencies. For an installation skill this behavior is somewhat expected, but it still materially increases risk because it fetches and executes third-party code without pinning versions, verifying integrity, or requiring explicit trust confirmation.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The network precheck instructs the agent to load or create identities and connect outbound to remote ACP services. This goes beyond passive configuration and can create external side effects, expose metadata, or register identities unexpectedly. In a plugin-installation context, connectivity testing is understandable, but identity creation and outbound connection should be treated as sensitive operations requiring clear consent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document states that agent.md is automatically uploaded and then publicly accessible via a predictable URL, but it does not clearly warn users that profile contents may become internet-accessible. In this ACP context, the risk is increased because workspace mode auto-generates agent.md from multiple local files, which can lead users to publish descriptive or operational metadata they did not realize would be exposed.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation presents `seedPassword` and permissive `allowFrom: ["*"]` examples as normal configuration without any warning about credential handling or the security consequences of allowing all senders. In an agent messaging/channel plugin, this can lead users to expose sensitive secrets in plaintext configs and unintentionally permit unrestricted inbound access, increasing risk of account compromise or unauthorized interaction.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document states that AI-generated session summaries are automatically appended to a contact's notes, but it does not clearly warn users that model-produced content will be persisted into contact records. This can create privacy, integrity, and reputational risks because inaccurate, sensitive, or prompt-influenced summaries may become durable metadata and later affect trust decisions or operator workflows.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill says any new sender is automatically added as a contact with an initial credit score, but it does not prominently warn users that receiving a message triggers contact-data creation. This can lead to silent data collection, contact-list pollution, and unwanted persistence of identifiers from untrusted parties, which is especially risky in a messaging/contact-management plugin.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document explicitly states that group messages are persisted locally in JSONL files, but it does not warn users that potentially sensitive conversation content will be stored on disk. In a messaging/group-chat skill, local persistence increases the risk of unintended disclosure through shared machines, backups, malware, or overly broad file permissions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The guidance tells users to pass the full group URL including the `?code=` invite token, but does not identify that token as a sensitive credential. Invite links can grant immediate access to groups, so exposing them in logs, screenshots, chat transcripts, or automation history could allow unauthorized joining.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
These instructions direct modifying configuration, creating directories/files, backing up and restoring config, and generating credentials, but they do not require an explicit warning and consent before making system changes. This is dangerous because users may not understand that persistent local state and secrets will be altered, especially when bindings and plugin enablement change runtime behavior. The skill context makes such changes expected, but the absence of a clear pre-change warning increases the risk of unintended modification.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal