ClawHub

Create Project

Security checks across malware telemetry and agentic risk

Overview

This is a real Orchestrix project setup skill, but it installs automation that can auto-accept trust and approval prompts and commits a license key into the new repository.

Install only if you intentionally want Orchestrix-specific Claude Code hooks and tmux multi-agent automation in the created project. Before using it, remove auto-accept and auto-approve logic, keep .mcp.json or any license key out of git, review .claude/settings.local.json and the .orchestrix-core scripts, and be prepared to stop or remove the tmux session and hooks.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (19)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill performs shell-capable actions such as directory creation, file copying, chmod, and git initialization, yet the manifest does not declare permissions or prominently signal those capabilities. This weakens user consent and policy enforcement because a caller may invoke what appears to be a benign scaffolding skill without understanding it will execute filesystem-altering shell operations.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The advertised behavior is project scaffolding, but the documented behavior extends into automated tmux orchestration, hook injection, pane monitoring, command forwarding, and auto-acceptance of trust/approval prompts. That mismatch is dangerous because users may consent to setup actions without realizing the skill installs automation that can drive future agent behavior and bypass interactive safeguards.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The skill collects a license key and writes it into a project config file as part of generic scaffolding. Storing credentials in project files increases the risk of accidental disclosure through source control, backups, logs, or later automation, especially when no sensitivity warning or secret-handling guidance is provided.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill states that bundled scripts automatically detect and accept Claude Code trust dialogs, effectively bypassing an interactive security gate. Auto-approving trust prompts undermines a control intended to prevent execution in untrusted directories and can normalize unsafe behavior in newly created or modified workspaces.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
After project creation, the skill continues into a multi-agent planning workflow, issuing additional agent commands beyond the stated scaffolding purpose. This expands the blast radius from file generation to autonomous orchestration and document production, which can surprise users and trigger unintended actions in the current session.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The script goes beyond session creation and actively detects and dismisses a trust or safety prompt by sending Enter automatically. This defeats an interactive security control that is meant to require human review before trusting the workspace, which can cause users to unknowingly run in a trusted context for an unreviewed project.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The header and usage comments describe the script as only ensuring tmux sessions, but the implementation also auto-accepts a trust/safety dialog. This mismatch is dangerous because reviewers and users may approve or invoke the script under false assumptions, hiding behavior that suppresses a security decision point.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script is presented as a passive completion monitor, but it actively sends approval input ('y' + Enter) into a tmux pane whenever a matching prompt indicator is seen. This can authorize actions the user did not review, enabling unintended command execution, file modification, configuration changes, or other privileged agent operations within the project setup flow.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The header comments describe the script as a completion monitor, but the implementation also performs active approval actions. This mismatch is dangerous because operators and reviewers may trust the script as read-only while it is actually capable of changing agent behavior and authorizing sensitive actions without visibility.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script does substantially more than project scaffolding: it creates a multi-agent tmux environment, injects hooks, launches four Claude Code instances, auto-activates roles, and starts a workflow. This materially expands the skill's operational scope beyond its stated purpose, increasing attack surface and enabling unattended agent actions in a target repository.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The script inspects tmux panes for trust or safety prompts and automatically presses Enter to accept them, bypassing an important user security decision. This can cause Claude Code to trust and operate in a repository without meaningful human review, weakening safeguards intended to prevent unsafe execution in untrusted folders.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs users to provide a license key and writes it to .mcp.json without any clear warning that the value is sensitive. This increases the likelihood of unsafe disclosure, especially if users later commit the file or share the project directory.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill performs substantial filesystem and shell-side effects—creating directories, copying executable scripts, changing permissions, and initializing git—without a strong up-front warning before collection begins. Users may provide information assuming a planning conversation, not realizing the skill will materially alter their home directory and install runnable components.

Missing User Warnings

High
Confidence
99% confidence
Finding
Automatically accepting a trust or safety prompt without explicit user consent bypasses a safeguard specifically designed to prevent unsafe execution in untrusted folders. In this skill context, which scaffolds and initializes project workspaces, that behavior is more dangerous because it may be run routinely on newly created or externally sourced repositories, normalizing silent trust elevation.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The script logs handoff metadata and recovered commands to /tmp, including agent names, commands, session identifiers, and potentially sensitive workflow details derived from tmux panes and fallback files. In a multi-user or poorly isolated environment, temporary-file logging can expose operational context or project information to other local users and create unnecessary data retention of terminal-derived content.

Missing User Warnings

High
Confidence
99% confidence
Finding
Automatically approving prompts in tmux without notifying or confirming with the user bypasses an important safety checkpoint. In a project scaffolding skill that installs configs, hooks, commands, and initializes repositories, this can silently permit risky or destructive operations that the user never intended to authorize.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The empty matcher causes the Stop hook to fire for every stop event rather than a narrowly scoped condition. In this skill, that means a shell command from the repository is executed broadly and automatically, increasing the chance of unintended command execution in projects where the hook script is modified, missing, or untrusted.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script writes to project-local security-relevant configuration and runtime paths, including .claude/settings.local.json and .orchestrix-core runtime files, without prior confirmation. Silent modification of hook configuration can alter future agent behavior and persist command execution triggers in the repository, which is especially risky in a project-creation skill where users may not expect config mutation.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script automatically kills an existing tmux session with the derived session name before starting a new one, which can terminate active work without user approval. In a shared or reused environment, this can cause loss of state, interruption of ongoing agent tasks, and denial of service against another active session.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal