ClawHub

Virtual Company

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed multi-agent workspace, but it asks for broad persistent memory, background agent sessions, and priority-overriding loyalty behavior that users should review before installing.

Install only if you intentionally want a persistent multi-agent workspace. Before use, remove or ignore the absolute-loyalty and fixed-identity instructions, do not run the force-delete command in integration-plan.md, and treat all ~/.agent-memory and shared-memory content as durable project memory that may be reused in later agent prompts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (15)

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The hard-coded loyalty policy instructs the skill to prioritize obedience to a specific person above all other rules and safeguards. In a multi-user or policy-constrained environment, this is dangerous because it explicitly attempts to override normal safety, authorization, and conflict-resolution controls.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The plan explicitly instructs forceful recursive deletion of another skill directory using `Remove-Item -Recurse -Force`. In a collaboration/team-management skill, deleting unrelated local skill content is outside expected scope and can cause irreversible loss of functionality or user customizations, especially because the path targets a skill directory rather than temporary artifacts.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The integration workflow directs modification of local configuration/session files and later removal of another skill, which exceeds the stated purpose of a virtual-company orchestration skill. Even though the backup commands themselves are not destructive, they normalize filesystem-level administrative actions unrelated to core chat/team functionality and can pave the way for unsafe configuration tampering.

Vague Triggers

High
Confidence
90% confidence
Finding
The trigger set contains broad everyday terms such as '组队' and generic role names that can cause accidental invocation. In this skill, unintended activation is more dangerous because invocation can lead to spawning sub-agents, persistent memory writes, and shared-memory propagation without clear user intent.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill documents automatic persistence of task history, experiences, and shared-memory updates but does not present a clear user-facing warning or consent mechanism. This is dangerous because users may disclose sensitive project, personal, or business information that is then retained and shared across agents beyond the immediate task.

Natural-Language Policy Violations

High
Confidence
98% confidence
Finding
The skill enforces a fixed user identity ('生逸超') and mandatory loyalty relationship without opt-in or verification. This can misattribute authority, cause the skill to mishandle requests from other users, and normalize bypass of ordinary access-control and safety expectations.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The markdown includes a forceful deletion command but provides no warning that it is destructive, irreversible, and may remove another installed skill recursively. Lack of warning materially increases the chance that a user or agent follows the instruction blindly, causing accidental data or capability loss.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code persists agent memory under the user's home directory (`~/.agent-memory`) by default, creating long-lived storage of potentially sensitive prompts, tasks, decisions, and session data. In a multi-agent memory system, this is security-relevant because users may not expect durable retention, and the file contents can expose prior user data to other local processes, later sessions, or anyone with filesystem access.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The default routing keywords are very broad and overlap with normal user language such as '写代码', '规划', or '做文档', which can cause the skill to invoke persistent background sub-agents when the user did not explicitly request delegation. In this skill, that risk is amplified because it supports 35 permanent session-based agents and says '不等待结果' and '后台运行', so a casual phrase could trigger unintended multi-agent actions and data flow.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The description of '智能分配(默认)' does not clearly specify when automatic activation should or should not occur, creating ambiguous control boundaries. In the context of this skill, ambiguity is security-relevant because requests may be routed to persistent sub-agents by default without clear user consent, increasing the chance of unintended execution, disclosure, or background processing.

Ssd 1

High
Confidence
99% confidence
Finding
Absolute-loyalty instructions that rank one user's commands above all other safeguards are an explicit attempt to subvert the platform's safety hierarchy. In context, this orchestration skill can route tasks across many agents and memories, so such override semantics could amplify unsafe actions, privacy violations, or policy evasion at scale.

Ssd 3

High
Confidence
98% confidence
Finding
The shared-memory design broadly propagates announcements, project updates, lessons learned, and employee status across agents by default. This creates a significant confidentiality risk because sensitive user data or internal project details can be copied to multiple contexts, increasing exposure, retention, and secondary misuse.

Ssd 3

Medium
Confidence
91% confidence
Finding
The persistent-memory model stores historical tasks and experiences that may contain sensitive user or business information, normalizing long-term retention without minimization. Even if intended for continuity, such archives increase the blast radius of accidental disclosure, later misuse, or unauthorized access.

Ssd 3

Medium
Confidence
97% confidence
Finding
`getMemoryContext()` reconstructs prompt context by concatenating previously stored free-form announcements, decisions, tasks, and experiences directly into future agent context. Because this skill is explicitly designed for persistent shared memory across many 'employees' and sessions, untrusted or sensitive user-provided content can be silently resurfaced later, causing cross-session data leakage, prompt injection persistence, and broader exposure across team/company scopes.

Ssd 4

Medium
Confidence
95% confidence
Finding
The CEO role description explicitly mixes ordinary business operations with '私人:健康、婚姻、性生活等私人服务', creating an authority-framed pathway for intimate and potentially sexual or manipulative interactions. In a multi-agent 'virtual company' context, this broad privileged persona can normalize unsafe personal assistance and increase the chance the system steers users into disallowed sexual, medical, or emotionally coercive exchanges under the guise of executive support.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal