ClawHub

Agent Task Manager

Security checks across malware telemetry and agentic risk

Overview

This is a transparent local workflow-orchestration template, but users should treat its shell command wrapper and saved task state with care.

Install only if you want a local orchestration template. Do not pass untrusted text into cooldown.sh as a command, review any command before wrapping it, and avoid putting secrets or sensitive personal data into task definitions because task_state.json and cooldown timestamps remain on disk.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill advertises capabilities that imply file read/write and networked operations, but it does not declare any permissions or constraints. In a stateful workflow/orchestration skill, this mismatch is risky because agents may perform persistent state changes or external actions without explicit authorization boundaries, reducing auditability and increasing the chance of unintended data access or outbound operations.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The description encourages broad use for creating or improving multi-agent workflows without specifying triggering conditions, safety boundaries, or prohibited contexts. Because this skill manages persistent state, dependencies, and external rate-limited actions, overly broad invocation guidance can cause it to be applied in sensitive contexts where autonomous file or network activity is inappropriate.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal