ClawHub

LYGO Ollama Army & Assistant Hub

Security checks across malware telemetry and agentic risk

Overview

This is mostly a disclosed local Ollama helper, but it still has a Windows command-launching flaw and persistent self-growing daemon behavior users should review before installing.

Install only if you are comfortable running persistent local Python daemons. On Windows, avoid passing role, model, or champion values from untrusted input, and do not use shell metacharacters in those fields. Keep Ollama local unless you explicitly intend to send prompts to another server, review queue files before processing, and leave --grow off until you understand that it can launch additional daemons.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# Safer launch: list form + explicit new console. Avoids outer shell=True f-string injection.
        # The inner title + cd + python is still passed to cmd /k, but inputs are sanitized.
        inner_args = ["cmd", "/k", f'title {title} && cd /d "{HERE}" && {" ".join(base_cmd)}']
        proc = subprocess.Popen(
            inner_args,
            creationflags=getattr(subprocess, "CREATE_NEW_CONSOLE", 0)
        )
Confidence
92% confidence
Finding
proc = subprocess.Popen( inner_args, creationflags=getattr(subprocess, "CREATE_NEW_CONSOLE", 0) )

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The function accepts an arbitrary ollama_host and sends the full user prompt and system prompt to that endpoint, so a caller can redirect traffic away from the expected local service. In the context of a tool advertised as a local Ollama assistant hub, this can cause unintended disclosure of sensitive prompts to remote systems or untrusted local proxies.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal