ClawHub

Schelling Protocol

Security checks across malware telemetry and agentic risk

Overview

The skill does what it claims, but it shares user intents with an external coordination service and handles persistent API keys in ways users should review carefully.

Install only if you want your agent to use the Schelling coordination network. Review intent text, profile fields, contact details, budgets, and outbound messages before sending them. Treat the API key as a bearer secret, avoid putting it in shell history or logs, use trusted SCHELLING_URL values only, and keep any inbox polling explicit and limited.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly instructs users to copy and save a returned API key, but it does not clearly state that the key is a bearer secret that grants inbox and update access and must not be exposed in logs, shell history, screenshots, or shared notes. In security-sensitive workflows, normalizing casual handling of credentials increases the risk of account takeover or unauthorized actions if the key is leaked.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs the agent to save an API key in persistent storage and use it for ongoing inbox polling, but it does not provide clear guidance on secure secret handling, minimization, or user consent. Poorly handled persistent credentials increase the risk of unauthorized account access, cross-session leakage, and silent background activity tied to the user's identity.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill encourages transmitting user intents, offers, needs, and coordination messages to an external network service without a prominent privacy warning or data-sharing consent step. Even if the endpoint uses HTTPS, the skill describes broad sharing of potentially sensitive user and contact information with third parties, which can expose personal, commercial, or confidential data.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The recommended trigger conditions are very broad and overlap with many ordinary user requests such as finding collaborators, services, or buyers. This increases the chance that the skill will activate by default and send user requests to an external coordination network when the user did not specifically ask for third-party outreach or public discovery.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script transmits the user's free-form intent text to a remote service without any inline disclosure, confirmation, or warning that the input will leave the local machine. Because intent text can easily contain sensitive personal, financial, or location data, this creates a privacy and data-handling risk even though the transmission appears to be the script's intended function.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script requires the API key as a positional command-line argument and even demonstrates that usage in its help text. On multi-user systems or developer workstations, command-line arguments can be exposed through shell history, process listings, audit logs, or CI job logs, which can leak a bearer token that grants access to update the agent card.

External Transmission

Medium
Category
Data Exfiltration
Content
INTENT="$1"

curl -s -X POST "${BASE_URL}/schelling/quick_seek" \
  -H "Content-Type: application/json" \
  -d "$(jq -n --arg intent "$INTENT" '{intent: $intent, auto_advance: false}')" \
  | jq '.'
Confidence
82% confidence
Finding
curl -s -X POST "${BASE_URL}/schelling/quick_seek" \ -H "Content-Type: application/json" \ -d

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal