ClawHub

Claude Code Team(OpenClaw 适配版)

Security checks across malware telemetry and agentic risk

Overview

The skill matches its team-automation purpose, but it can auto-launch multiple agents and persist task memory from broad everyday prompts without clear confirmation or retention controls.

Install only if you intentionally want broad team-mode automation. Before using it, require explicit confirmation before any agent spawning, monitor model/API cost, avoid sending secrets or regulated data, and inspect or clear the memory files it creates.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (22)

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The document states the gateway issue is 'permanently fixed' and 'already repaired' without including verifiable evidence such as actual committed config changes, code references, test artifacts, or deployment details. In an agent skill, this can mislead operators into trusting unsafe runtime behavior or skipping validation, which is especially risky because the document also encourages automatic team-mode execution.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The file claims the sessions_spawn wrapper and retry logic are already implemented, but only shows example JavaScript snippets in documentation. This creates a false sense of operational safety and resilience; users may assume cleanup, timeout, and retry protections exist when they may not actually be enforced in the live skill.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The skill advertises that a simple natural-language phrase like a team name plus a task will automatically start multiple agents and execute work. This creates an overbroad trigger surface where ordinary conversational text can unintentionally invoke automation, potentially causing unintended actions, cost, or downstream handling of sensitive prompts without an explicit confirmation step.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document states that team and agent memory are automatically recorded, including task history and personal records, but does not clearly warn users that their inputs may be persistently stored. This can lead to silent retention of sensitive business data, credentials, proprietary prompts, or personal information that users may assume are ephemeral.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The suggested invocation phrases are broad, natural-language commands that could plausibly appear in ordinary conversation, making accidental or prompt-injected activation more likely. Because the skill claims it will automatically start teams, assign tasks, and act on user phrases, weak activation boundaries increase the chance of unintended multi-agent execution and downstream actions.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The custom-team example uses an everyday request pattern ('创建一个 AI 研究团队...') without clear scoping or confirmation, which can cause the skill to interpret normal brainstorming text as an instruction to create persistent configurations. In a system with automatic team creation, model assignment, and memory persistence, this ambiguity can trigger unintended state changes and resource use.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill advertises that team memory is automatically saved, but it does not disclose retention scope, sensitive-data handling, access controls, or user consent. In a multi-agent/team setting, automatic persistence can capture prompts, secrets, or business data and retain them longer than users expect, creating privacy and compliance risk.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The invocation examples are broad natural-language phrases that imply the skill will automatically infer intent and launch teams without tight trigger boundaries. In agent environments, ambiguous triggers can cause unintended agent spawning, resource consumption, or execution of actions the user did not explicitly authorize.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill advertises that it will 'automatically' start teams and 'automatically save' memory, but it does not clearly warn users that agent creation and persistence will occur. This is dangerous because it affects user consent, privacy, and resource usage; silent persistence and autonomous multi-agent execution can expose sensitive prompts or create unexpected side effects.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The README states that generic phrases like mentioning 'team', 'optimize project', or uploading a project with a task will automatically start multi-agent execution. These triggers are overly broad and can cause unintended activation from ordinary conversation, increasing the chance of unnecessary tool use, extra cost, and execution on ambiguous or unsafe requests.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The usage section shows activation through broad natural-language phrases rather than a constrained command format. In a skill that can spawn multiple agents and persist memory, this raises the risk of accidental execution, unwanted API spend, and processing of user/project data without sufficiently explicit intent.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The example trigger phrases are very broad and look like normal user requests, which can cause the skill to activate in situations where the user did not clearly intend to invoke it. In an agent setting, ambiguous activation expands the skill’s operational scope and can lead to unintended orchestration behavior, model selection, or prompt routing across ordinary conversations.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The README presents ordinary natural-language requests as sufficient to automatically create and launch multiple agents, which removes meaningful user confirmation and blurs the boundary between discussion and execution. In an agent environment, this can trigger unintended actions, resource consumption, or downstream tool use from ambiguous prompts, especially when the examples imply immediate orchestration rather than a dry-run or approval step.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill advertises automatic persistent writes to team and agent memory without disclosing consent, retention, sensitivity limits, or review controls. This is dangerous because user prompts, project details, secrets, or regulated data may be stored indefinitely and later reused across sessions, creating privacy, confidentiality, and cross-task data leakage risks.

Vague Triggers

High
Confidence
97% confidence
Finding
The trigger list includes very common phrases such as '写代码', '开发一个', and role names like '程序员', which can match ordinary user requests and cause autonomous team-mode activation without clear user consent. In a skill that can spawn multiple agents and persist memory, accidental activation materially increases operational and privacy risk.

Vague Triggers

High
Confidence
98% confidence
Finding
The automatic activation logic uses ambiguous conditions like mentioning '团队' or uploading project material with a task, which are too broad to reliably indicate user intent. Because the documented behavior is to automatically create/load teams and execute multi-agent workflows, this can lead to unintended autonomous actions and surprise side effects.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill states that team and agent memories are automatically saved to persistent files and records task history, decisions, and personal experience, but it does not present any clear retention notice, scope limitation, or user consent flow. This creates a meaningful risk of retaining sensitive project or user information longer than expected and exposing it through accessible storage.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The workflow explicitly instructs automatic launching of multiple agents via sessions_spawn and waiting for all results, yet it does not warn users about execution cost, resource consumption, side effects, or the fact that autonomous subtasks will run on their behalf. In context, broad triggers make this more dangerous because ordinary requests may unexpectedly escalate into multi-agent execution.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The auto-trigger list includes very generic phrases such as '团队', '修复 bug', and '开发功能', which are common in normal user requests and can cause the skill to activate unintentionally. In a multi-agent skill that can spawn and message sessions, accidental activation increases the chance of unnecessary tool use, unexpected task delegation, excess cost, and unintended processing of user/project data.

Ssd 3

Medium
Confidence
95% confidence
Finding
The automatic memory design records team and agent activity in plain-language memory files without stated boundaries, filtering, or sensitivity controls. In a multi-agent workflow, this increases the chance that confidential user instructions, internal decisions, or regulated data are copied into persistent storage and later exposed to other agents, users, or logs.

Ssd 3

Medium
Confidence
89% confidence
Finding
The core principles include '记忆自动持久化', which directs persistent retention across interactions without describing minimization, boundaries, or opt-in controls. Even though brief, this instruction sets a default behavior that can cause unnecessary collection and carryover of sensitive user or project information across sessions.

Ssd 3

Medium
Confidence
96% confidence
Finding
The memory sections instruct broad automatic logging of task history, decisions, lessons learned, personal experience, and completion records for teams and agents. In a collaborative coding skill, these categories can easily include proprietary code details, credentials pasted during troubleshooting, or sensitive business context, making overcollection and later leakage more likely.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal