ClawHub

Workplace

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its workplace-management purpose, but it needs Review because it has a confirmed command-injection bug and broad persistent workspace mutation.

Install only if you intentionally want project-level multi-agent orchestration. Review and patch the init script before using user-supplied names, run it only on trusted project paths, avoid initializing parent folders unless you want child repositories changed, and check what will be written to .workplace, IDE config files, the home-directory registry, and supermemory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (16)

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The script performs a recursive inventory of the target project and writes the results to .workplace/structure.json. In the context of a multi-agent workplace skill, this is more sensitive than ordinary setup because it collects a broad map of project contents that can later be consumed by other agents or synced tooling, increasing exposure of repository structure and potentially sensitive filenames.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The script stores workplace metadata, including absolute paths, hostnames, UUIDs, parent relationships, and activity timestamps, in a global per-user registry under $HOME. This creates cross-project aggregation outside the target repo, which is risky in a skill designed for multi-agent orchestration and external context syncing because it centralizes sensitive environment metadata that other tools or agents may read.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
When a parent workspace is detected, the script automatically initializes child repositories, edits their configs, cross-links them, and rewrites full-tree metadata across multiple directories. In this skill's context, that broadens scope from one requested project to many repositories at once, which is dangerous because it mutates unrelated codebases and establishes inter-repo relationships without explicit per-repo consent.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The documented agent trigger phrases are broad enough to match ordinary user requests like 'fix', 'code', or 'refactor', which can cause the wrong agent or workflow to activate unintentionally. In a multi-agent skill that supports task handoff and persistent workspace context, accidental invocation can lead to unintended actions, context leakage between agents, or modification of project state without the user explicitly choosing that agent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README states that sync commands generate or update files such as '.cursor/rules/workplace.mdc', 'CLAUDE.md', and 'opencode.jsonc' but does not clearly warn users that running the command will write to project files. In a tool that operates across multiple workplaces and can sync context into IDE instruction files, silent or poorly signposted file modification increases the risk of unexpected config changes, instruction injection persistence, and accidental corruption of existing project setup.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The trigger text is broad enough to match common project-management or codebase-navigation requests, which can cause the skill to activate when the user did not intend workplace operations. Because the skill is described as scanning directories, switching context, and managing agents, accidental invocation could lead to confusing context changes or filesystem modifications in the wrong project. The broad auto-detection of .git folders further increases the blast radius.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The markdown instructs the agent to update current.json, registry metadata, load workspace config, and create sessions, and elsewhere describes sync operations that modify external tool context, without explicit user warnings or confirmation. Hidden or poorly signposted state changes are risky because they alter active workspace context and persistent files across tools, which can misdirect future actions or leak project context into the wrong environment. In a multi-workplace skill, silent context mutation is especially dangerous.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger list includes generic terms like "kernel," "structure," and "scan files," which are likely to appear in normal conversation and can cause the agent to activate unexpectedly. In this skill, activation leads to recursive scanning and writes to `.workplace/*`, so accidental invocation can expose project structure and cause unintended file modifications.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The template instructs the agent to generate and overwrite `.workplace/structure.json`, rebuild `.workplace/full-tree.md`, remove stale entries, clear outdated memory entries, and write process status, but it does not clearly warn the user that these are data-affecting operations. In a multi-project orchestration context, this can lead to silent modification of metadata, loss of useful records, or broader disclosure of repository structure to external memory/sync systems.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The example agent definition uses very broad trigger keywords such as "code," "fix," "build," and "refactor," which can cause the orchestrator to activate this agent for many unrelated requests. In a multi-agent workplace system with automatic handoff and shared project context, unintended activation can lead to unauthorized code changes, noisy delegation, or execution of actions in the wrong workplace/session.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The status command exposes local path, host name, linked workplaces, active agents, and activity timing without any warning or minimization guidance. In an agent-driven environment with Telegram/Discord UI and cross-agent orchestration, this metadata can leak sensitive operational details to logs, chats, or unintended viewers.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The kernel start flow instructs the agent to save workplace structure to external memory ('supermemory') using a workplace UUID, but the documentation gives no user-facing consent, scoping, or data classification controls. Because structure data can reveal repository layout, component names, and internal architecture, this creates a real risk of unintended persistence or disclosure beyond the local project.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guide instructs the agent to create directories, initialize a Git repository, and run an init script against a user-supplied path without first requiring an explicit confirmation that the target project will be modified. In an agent skill that manages workplaces across multiple project directories, this increases the chance of unintended writes to the wrong folder, accidental repository creation, or modification of an existing codebase due to path confusion or over-broad automation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The session deletion flow allows a destructive action directly from a button press without any explicit confirmation prompt, warning, or undo mechanism. In a chat-driven UI, accidental taps, ambiguous labels, or spoofed callback routing can permanently remove session metadata and disrupt access to prior conversation context, making this a real integrity and availability issue.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script immediately creates directories and later writes multiple files in both the target project and the home-directory registry without an upfront warning, dry run, or confirmation. In a developer-agent skill, silent filesystem mutation is security-relevant because users may invoke it on the wrong path or through automation, causing unintended persistent state changes across projects.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The recursive child initialization path modifies multiple child repositories and may alter existing .workplace/config.json files to set parent references, all without a clear upfront warning. This is especially risky for a workplace-management skill because users may intend to initialize only one directory, while the script silently expands impact to sibling repositories and persists cross-repo metadata.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal