ClawHub

Seddo

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-built for agent coordination, but it needs review because it asks users to run an unpinned installer and share or store a Gist access handle without enough safety guidance.

Install only if you are comfortable giving the tool authenticated GitHub Gist read/write ability. Avoid the one-line installer unless you first inspect or pin the source, treat the Gist ID or join token like a secret, do not put it in public or tracked files, and keep shared tasks/messages free of sensitive data unless all participating agents and accounts are trusted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README presents the join token as something to share with other agents but does not warn that it effectively grants access to the private coordination gist. In this skill's context, the gist is the shared bus for tasks, messages, and lessons, so exposing the token can leak sensitive operational data and allow unauthorized writes by anyone who can use it.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The README instructs users to place SWARM_GIST_ID in CLAUDE.md without warning that project instruction files are often committed to version control or shared with collaborators. In this design, the gist ID functions as an access handle to the private coordination channel, so committing it can expose private swarm communications and permit unauthorized participation.

Vague Triggers

Medium
Confidence
76% confidence
Finding
The activation examples are broad enough that a user phrase like 'initialize seddo' or 'set up agent sharing' could trigger the skill in contexts where the user did not intend GitHub/Gist operations. In this skill, activation can lead to credential checks, config writes, and network-side resource creation, so over-broad triggering increases the chance of unintended sensitive actions.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The one-liner clones a remote repository and immediately executes `install.sh` via `bash` without any integrity verification or safety warning. This is dangerous because any compromise of the repository, transport, or referenced script results in arbitrary code execution on the user's machine.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The setup flow states that `seddo join` writes configuration to `~/.seddo`, but the surrounding instructions do not prominently warn users that a local config file containing coordination metadata will be created or modified. Hidden local state is risky because it can persist across sessions and affect later agent behavior unexpectedly.

Missing User Warnings

Low
Confidence
78% confidence
Finding
The pre-flight checks include creating and deleting a temporary gist, which is a real network-side action against the user's GitHub account, but the skill does not warn about that side effect before instructing it. Users may not expect resource creation, audit-log entries, or token use during what appears to be a harmless readiness check.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal