ClawHub

Colony

Security checks across malware telemetry and agentic risk

Overview

This is a coherent multi-agent orchestration skill, but it gives background agents broad coding, file, deployment, notification, and persistent-memory authority with weak safety boundaries.

Install only if you are comfortable with this skill spawning background OpenClaw agents that may edit files, run operational workflows, publish, or deploy. Disable notifications unless needed, avoid putting secrets or regulated data into prompts, feedback, or global context, and add human approval gates for deploy, delete, git, SSH, Docker, install, and publish actions before using it on important repositories or live environments.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (18)

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The function logTaskCompleted(taskId, agent, durationMs, tokens = {}, success = true) records the provided success value in the event log, but then unconditionally calls updateAgentStats(agent, { success: true, ... }). This creates an integrity flaw where failures can be logged as unsuccessful in the audit trail while agent statistics still count them as successes, enabling misleading dashboards, incorrect success-rate calculations, and weakened operational monitoring.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The code still uses shell-based execSync calls with interpolated paths for file cleanup and file moves, despite comments suggesting shell escaping issues were avoided. While some paths are quoted in places, constructing shell commands from variable file paths is risky and unnecessary; if any path becomes attacker-influenced, this can lead to command injection or shell metacharacter abuse, and even without injection it creates brittle cross-platform behavior.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger lists are broad and overlapping, using generic terms like 'analyze', 'explain', 'test', 'build', and 'post' that can match many unrelated requests. In a multi-agent orchestration system, this can cause tasks containing sensitive operations to be routed to the wrong agent, increasing the chance of unsafe actions, unintended data access, or low-quality outputs being treated as authoritative.

Vague Triggers

Low
Confidence
84% confidence
Finding
The documentation says unmatched tasks fall back to a default agent but does not define the safety properties of that default behavior. Ambiguous fallback logic can silently send unclear or novel requests to an agent that is not appropriate for the task, which is especially risky in a system that can trigger coding, deployment, file, or audit workflows.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill documents persistent storage of user preferences, feedback, active facts, and decisions across files, but it does not present a clear privacy notice, retention policy, consent model, or guidance on sensitive data handling. In agent systems, long-lived memory and shared context can accumulate personal, confidential, or project-sensitive information and make it available to future tasks and other agents beyond the user's expectations.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly documents persistent storage for agent memory, shared context, feedback, runs, and audit data, but it does not warn users that prompts, task context, operational metadata, and possibly sensitive business information will be written to disk. In a multi-agent orchestration tool, this creates a real privacy and data-handling risk because users may unknowingly submit secrets, internal project details, or personal data that remain stored across sessions.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The documented workflows include system-changing actions such as fixing bugs, running deploy stages, and assigning tasks to an ops-oriented shell agent without prominent warnings or safety gates about repository and environment impact. In this context, the skill is specifically designed to orchestrate autonomous or semi-autonomous agents, which makes unintended code changes, deployments, or operational actions materially more dangerous than a passive documentation example.

Vague Triggers

High
Confidence
95% confidence
Finding
The researcher agent uses very broad natural-language triggers such as 'find', 'explain', 'what is', and 'investigate', which are likely to appear in many ordinary user requests. In a trigger-routed multi-agent system, this can cause unintended delegation to the research agent, leading to incorrect tool use, data exposure to the wrong sub-agent, or bypass of more appropriate routing logic.

Vague Triggers

High
Confidence
96% confidence
Finding
The coding agent is activated by highly ambiguous words like 'code', 'write', 'fix', 'build', 'test', and 'api', which commonly occur in benign conversation outside actual coding requests. If this agent has access to code-generation or execution capabilities, accidental routing can materially increase risk by causing unauthorized modifications, unsafe code suggestions, or execution-oriented behavior when the user did not intend it.

Vague Triggers

High
Confidence
98% confidence
Finding
The operations agent includes especially risky broad triggers like 'file', 'delete', 'install', 'server', and 'docker', which can match casual language while mapping to an agent likely associated with high-impact system actions. Misrouting to an ops-oriented agent is more dangerous in context because deployments, file operations, and administrative workflows can affect infrastructure, source control, or local data if the surrounding system grants tools or automation.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Many other agents also depend on common single-word triggers such as 'data', 'product', 'ideas', 'post', 'test', 'audit', and 'evaluate', creating systemic trigger collisions across the registry. This broad overlap makes routing behavior unpredictable and easier to manipulate with crafted prompts, reducing reliability and potentially steering requests toward agents with different trust boundaries or capabilities.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The bug-triage process uses very generic triggers like "bug," "fix," "issue," and "broken," which can match many unrelated user requests and cause the wrong workflow to run. Because this process culminates in a shell-based deploy step with no explicit human checkpoint, accidental invocation could lead to unintended code changes or deployment actions in a sensitive operational context.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The validate-idea workflow includes broad phrases like "validate," "idea," and "worth building," which can be triggered by many normal conversations that are not intended to launch a multi-stage business analysis process. While this is less dangerous than a deployment workflow, it can still cause unintended agent execution, wasted resources, and disclosure or processing of context that the user did not mean to route into this process.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The landing-page process is activated by broad triggers including "website" and "homepage," which may match many unrelated requests and route them into a page-generation workflow. In context, this process produces implementation artifacts like HTML/CSS, so misrouting could cause unintended content generation or downstream build activity beyond what the user requested.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
logProcessStarted writes process context directly into a persistent audit log after only truncating length, with no redaction, minimization, or consent boundary. Process context commonly contains prompts, task inputs, identifiers, secrets, or user-provided content, so this can silently persist sensitive data and expand the blast radius of any later log access or disclosure.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
logFeedbackReceived persists user feedback to disk without any evident notice, redaction, or data-classification controls. User feedback can contain personal data, credentials, proprietary text, or other sensitive material, so storing it verbatim in audit logs creates a privacy and confidentiality risk even if the feature is intended for observability.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This worker builds a Bash command string using untrusted metadata values such as sessionId and then executes it with execSync under /bin/bash. Although the prompt body is base64-encoded, the command still interpolates attacker-controlled data into the shell, creating command injection risk; it also deletes files from attacker-influenced paths during cleanup, which can remove unintended files if the metadata is tampered with.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The notification feature automatically sends process names, stage names, run IDs, and error details to an external Telegram target via openclaw without an explicit warning or consent at the moment of transmission. In a multi-agent orchestration tool, process context and failures may contain sensitive operational or business information, so silent exfiltration to a third-party channel increases confidentiality risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal