ClawHub

Multi Workplace

Security checks across malware telemetry and agentic risk

Overview

This skill has broad local project-management powers, but the artifacts describe those powers clearly and do not show deception, exfiltration, or destructive behavior without user involvement.

Install only if you want OpenClaw to manage project directories this way. Before running init, sync, kernel, deploy, or recursive parent-folder operations, confirm the target path and review the files that may be created or changed, especially .workplace/, ~/.openclaw/workspace/.workplaces/, CLAUDE.md, .cursor/rules/workplace.mdc, and opencode.jsonc.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill describes shell-based scripts and a native binary (`scripts/*.sh`, `workplace-server`) but declares no permissions. That mismatch can cause the host or user to authorize execution without clear disclosure, increasing the chance of unexpected filesystem changes or process execution in project directories and the user's home directory.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The command reference exposes a destructive `workplace delete` capability that is not disclosed in the higher-level skill description, creating a capability mismatch. That increases the risk that users or orchestrators invoke the skill with incomplete understanding, leading to accidental deletion of registry entries, `.workplace/` state, or associated memory data.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The deploy command goes beyond passive workplace management by allowing optional execution of deployment instructions, which can translate untrusted markdown into shell actions. In a multi-project orchestration skill, this broadens the trust boundary and could enable command execution from project-controlled `.workplace/deploy/<env>.md` content if confirmation or validation is weak.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The example agent triggers use very broad, common-language terms such as "code," "implement," and "fix," which can cause accidental invocation in unrelated contexts. In a multi-agent orchestration skill that can start agents and hand off tasks automatically, ambiguous triggers increase the chance of unintended actions or context leakage across workflows.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README states that `workplace sync` generates or updates files like `.cursor/rules/workplace.mdc`, `CLAUDE.md`, and `opencode.jsonc` without prominently warning that user project files will be modified. Because these files influence IDE and agent behavior, silent or poorly disclosed modification can overwrite existing instructions, introduce unsafe prompt content from workplace config, or persist unreviewed changes into repositories.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The activation triggers are extremely broad, covering many generic project-management and codebase terms, which can cause the skill to invoke in contexts the user did not intend. For a skill that changes current workspace, scans directories, writes config files, and may launch subprocesses, over-invocation increases the risk of unintended file operations and context leakage across projects.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill instructs the system to update files such as `current.json`, `registry.json`, and per-workspace config to switch context, but it does not prominently warn that these operations modify persistent state. Combined with references to syncing external IDE files and deployment-related docs, this can lead to silent edits in the user's home directory and project repositories, surprising users and potentially affecting other tools.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This template instructs a persistent background agent to recursively scan the project, write multiple files under .workplace, inspect parent and linked workplaces, and sync structure summaries to external long-term memory, but it provides no explicit consent, approval gate, or data-minimization boundary. In a multi-project environment, that can expose sensitive filenames, repository structure, and cross-workplace metadata through silent persistence and external synchronization.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The trigger list includes highly generic terms like "code," "fix," "build," and "implement," which are common in ordinary user requests and can cause unintended activation of the workplace agent. In this skill, unintended activation is more dangerous because the agent can orchestrate subagents, read project/workplace metadata, and write coordination state into .workplace files, expanding the scope of an accidental invocation.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guide explicitly instructs creating and modifying project configuration files such as `CLAUDE.md` and `opencode.jsonc`, including replacing marked sections and appending to existing files, but it does not require user confirmation, backups, or a clear warning that existing project content may be altered. In a skill that orchestrates multiple workplaces and syncs context into external IDEs, silent modification of repo files can overwrite user-maintained configuration, leak internal context into tracked files, or cause unintended commits and tool behavior changes.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The `sync all` behavior updates multiple IDE integration files based on detection logic, but the documentation does not warn that several files may be created or modified in one command. Because this skill manages multi-agent context, agent instructions, and deployment summaries, bulk syncing increases the risk of unexpectedly propagating sensitive or unintended context across multiple tool configs and project files.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This script immediately creates directories and writes multiple files under the user-supplied target path and a global registry under $HOME without any confirmation, dry-run mode, or explicit warning beyond normal usage text. In an agent-driven context, that behavior is risky because a mistaken, overly broad, or attacker-influenced path can cause persistent filesystem changes outside what the user expected.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
When the target lacks a .git directory but contains child repos, the script recursively invokes itself on each child and then modifies each child's .workplace/config.json plus shared registry state, all without separate consent for those additional writes. In this skill's multi-workplace orchestration context, that amplifies risk because a single invocation can unexpectedly alter many repositories and create broad persistent state across related projects.

VirusTotal

55/55 vendors flagged this skill as clean.

View on VirusTotal