ClawHub

Workflow Guardian

Security checks across malware telemetry and agentic risk

Overview

This skill appears to act as a broad workflow enforcer that automatically writes persistent logs and memory/state across tasks, with insufficient scoping and data-handling limits.

Review before installing. Use this only in a workspace where broad workflow enforcement and persistent task logging are acceptable. Add or require clear write paths, redaction of secrets and personal data, approval before autonomous fixes, and narrow activation rules before using it on confidential or unrelated tasks.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill declares applicability to "any task type" and provides global behavioral enforcement without clear activation boundaries, exclusions, or least-privilege constraints. In an agent setting, this can cause the skill to inappropriately influence unrelated tasks, amplify authority over workflow execution, and create unsafe cross-context policy enforcement.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to automatically update files and runtime state after workflow completion or violations, but it does not warn users that persistent data will be modified. Silent writes to logs, stats, and memory files can create unauthorized state changes, overwrite expected behavior, and cause integrity issues in environments where file modification should be explicit and consented.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The post-fix protocol allows the agent to "apply fix if autonomous" after completion, enabling unsupervised corrective changes to files or workflow state without prior user approval. This is more dangerous in context because the skill positions itself as a general workflow enforcer, so the autonomous fix path could affect arbitrary tasks and retroactively change outputs or records.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The description says the hook 'writes violation entry' and 'updates memory and soul,' but it does not clearly warn that invocation causes persistent file and state mutations across multiple locations. In an agent setting, insufficient disclosure around automatic writes can lead to unintended persistence, log poisoning, or corruption of long-lived state when the hook is triggered by adversarial or malformed inputs.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The hook instructs the agent to append a one-line summary of each step's output to a persistent run log, but it provides no constraint against logging secrets, personal data, tokens, or sensitive intermediate results. In a workflow system that runs after every step, this creates a realistic risk of unintended data retention and secondary exposure through logs, especially when workflows process confidential content.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This hook instructs the agent to append to a run log and modify memory/state files automatically, but provides no guardrails around authorization, path validation, data integrity, or user awareness. In a broadly triggered pre-task hook, that can cause unintended state changes, log pollution, or corruption of workflow tracking data, especially if <id> or task metadata is attacker-controlled.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal