ClawHub

Claw Mission Killer

Security checks across malware telemetry and agentic risk

Overview

This skill does not show exfiltration or deception, but it can force-stop agents, rewrite transcripts, and persistently change multiple agents' instructions without strong confirmation controls.

Install only if you explicitly want a local agent-control tool that can terminate running work, roll back recent agent memory, and modify other agents' AGENTS.md files. Use --dry-run first, prefer --agent over all-agent actions, review any AGENTS.md changes before applying them, and do not schedule watch.py unless you accept ongoing automatic changes to new agents.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (14)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Automatic background watching and cron-based auto-injection introduce persistence and self-propagating modification behavior unrelated to a one-shot interrupt tool. In a multi-agent environment, this increases the blast radius by silently extending the skill's control surface to newly created agents over time.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Installation-time modification of all agents' AGENTS.md files exceeds the stated mission-kill function and creates an implicit supply-chain style change to every configured agent. This broad cross-agent mutation can alter behavior outside the user's immediate intent and makes later actions harder to audit.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The installer introduces persistent behavior changes across agents by appending execution instructions to every agent's AGENTS.md, which exceeds the narrowly described 'interrupt and rollback' runtime capability. Even if intended for integration, this creates environment-wide modification of agent behavior and trust boundaries, making the skill more invasive than its manifest suggests.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
This code performs bulk rewriting of agent-facing instruction files, which can alter how agents execute long-running commands across the whole environment. Because AGENTS.md influences agent behavior, mass appending content creates a supply-chain style risk: a single skill install can silently and persistently change multiple agents beyond the immediate kill operation users expect.

Context-Inappropriate Capability

Low
Confidence
86% confidence
Finding
Reading the global OpenClaw configuration and targeting all configured agents by default gives the installer environment-wide reach. In the context of a kill-and-rollback skill, this broad default increases blast radius and makes accidental or unauthorized persistent changes more likely, even though the immediate code here is not directly destructive.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script claims to roll back to the state before the last triggering user message, but it actually truncates the transcript at the most recent user-role message regardless of whether that message triggered the interrupt. In an agent-management skill, this mismatch can silently delete unrelated conversation history and corrupt session state, especially in automated or bulk interrupt scenarios.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This script enumerates all configured agents and persistently modifies each agent's AGENTS.md by appending operational instructions, which is behavior far beyond an on-demand interrupt/rollback utility. Because AGENTS.md influences future agent behavior, this creates cross-agent persistence and silently changes execution policy for unrelated agents, increasing the blast radius of the skill.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The code reads global OpenClaw configuration, discovers all agents, and writes persistent instructions into their workspaces, establishing cross-agent influence not justified by the skill's declared purpose. In the context of a kill/rollback skill, this is especially dangerous because it embeds a mechanism to steer how long-running tasks are launched across the environment, effectively altering future agent execution semantics.

Intent-Code Divergence

Medium
Confidence
82% confidence
Finding
The module docstring explicitly states the script will 'auto-install' and 'inject the integration' into newly created agents, which materially conflicts with the manifest's framing as a user-invoked interrupt/reset tool. This mismatch is a strong indicator of undisclosed persistent behavior and makes the skill more dangerous because users may grant it trust appropriate for a recovery utility while it performs broader environment modification.

Vague Triggers

Medium
Confidence
87% confidence
Finding
Overly broad trigger phrases such as 'kill all' or generic interruption language can overlap with ordinary conversation and cause accidental activation of a destructive skill. Because this skill can terminate processes and roll back session memory, mistaken invocation could disrupt active work or erase recent context across one or more agents.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation does not prominently warn that the action is destructive, involving process termination and transcript rollback. Without explicit warnings and confirmation requirements, users may not understand that recent work can be lost or that interrupted agents may be reset to a prior state.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The rollback routine writes removed transcript messages to a backup log on disk, which can include sensitive user prompts, model outputs, credentials, or personal data, without any explicit warning, minimization, or access-control handling. In this skill's context, the feature is specifically designed to manipulate agent conversation history, so silently duplicating deleted content increases privacy and data-retention risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script force-kills processes with Stop-Process -Force or kill -9, including an all-agents mode, without requiring confirmation or a safer staged shutdown. In an agent orchestration environment, this makes accidental invocation or ambiguous targeting more dangerous because it can abruptly terminate active work and lead to data loss or service disruption.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script appends content to AGENTS.md without prior confirmation, approval, or meaningful disclosure beyond stdout logging after the fact. Silent modification of instruction files is dangerous because it changes future agent behavior in a durable way, and users may never notice that their agent policies were altered.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal