ClawHub

Multi Agent Collaboration

Security checks across malware telemetry and agentic risk

Overview

The skill is not clearly malicious, but it bundles broad social/content monitoring and personal profiling memory features that are not clearly disclosed by its main description.

Install only if you are comfortable with local persistent memory and personal/workflow profiling. Review and restrict the memory directory, avoid entering secrets or sensitive personal details, and prefer a sandboxed/test namespace until the publisher clearly documents retention, deletion, consent, and which modules are actually in scope.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (32)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The file content materially diverges from the advertised skill purpose: instead of an engineering-oriented multi-agent collaboration system, it implements social-media surveillance, trend scoring, and content strategy generation. This mismatch can mislead users and downstream systems into granting the skill broader trust, permissions, or deployment contexts than its actual behavior warrants.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The coordinator prompt reinforces the same deceptive scope mismatch by orchestrating a 4-module content/trend workflow rather than the described six-role, verification-centric engineering system. In agent ecosystems, orchestration prompts define real behavior, so this discrepancy increases the risk of unauthorized or unexpected actions under a misleading label.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The prompts direct broad collection from multiple consumer platforms unrelated to the stated engineering-collaboration purpose, expanding data access and monitoring scope without clear necessity. Unjustified data gathering increases privacy, compliance, and abuse risk, especially if operators enable web tools assuming a narrower engineering use case.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The file implements a personal goal-tracking and psychological reflection system that is materially unrelated to the declared multi-agent collaboration/engineering purpose of the skill. In a security review, this kind of scope divergence is dangerous because it can hide unexpected data collection and processing paths that users and operators would not reasonably expect from the skill’s manifest.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code analyzes motivations, identifies 'blind spots,' generates an 'AI mirror' letter, and predicts a user's future self, all of which amount to psychological profiling. This is risky because it processes sensitive inferred personal attributes unrelated to the stated engineering purpose, increasing privacy, compliance, and user-harm risk if the data is inaccurate, exposed, or used without informed consent.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The file’s content describes a four-module information/content/state/workflow system with layered memory, which does not match the declared multi-agent collaboration skill. This mismatch is dangerous because operators and users may rely on inaccurate documentation, causing unintended deployment of features like profiling, memory retention, or workflow behaviors outside the stated scope.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The document introduces long-term user state tracking, emotional analysis, growth trajectory analysis, and historical profiling that are not justified by the skill’s stated purpose of multi-agent collaboration. This is dangerous because it expands the system into sensitive profiling territory, increasing privacy risk and enabling collection or inference of intimate user attributes without clear necessity.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The reflection engine is presented as an evaluation and verification mechanism, but it always returns passing scores regardless of the actual output. In a multi-agent coordination skill that emphasizes verification and safer execution, this can create a false assurance layer that allows bad, unsafe, or policy-violating results to be accepted downstream.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The demo states that it does not change existing settings, yet it instantiates the collaboration system and persists a new time-decay configuration into L3 memory. In an agent skill context, demos are often executed by users for evaluation, so hidden or undocumented state changes can alter later system behavior, create confusing persistence, and violate operator expectations.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill instructs collection of content from platforms including WeChat public accounts but provides no user-facing notice about privacy, retention, legal basis, or handling of scraped third-party content. In a multi-agent workflow, silent cross-platform aggregation can expose operators to privacy and compliance violations and surprise users about the breadth of monitoring.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document explicitly describes a user-adaptive behavior of 'skip_confirmations', which can reduce or remove human approval before multi-agent actions proceed. In a skill focused on coordination, routing, and safer execution pipelines, normalizing skipped confirmations increases the chance of unintended tool use, unsafe state changes, or silent progression through risky workflow branches without adequate user consent.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code persistently stores user-supplied memory content to disk via save() without any visible consent, disclosure, retention control, or filtering of sensitive data. In an agent skill focused on long-lived multi-agent collaboration and memory, this increases the chance that private user prompts, project details, or secrets are retained unexpectedly and exposed through later retrieval or filesystem access.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The module persistently writes working, experience, knowledge, and wisdom memory to local disk automatically, but there is no consent flow, disclosure, retention control, or data minimization. In a multi-agent collaboration skill, these stores can accumulate sensitive prompts, task content, credentials, or user data and make them recoverable long after the original session.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Cross-system synchronization writes shared memory artifacts to disk without any user-facing notice or access policy checks. That expands the scope of persisted data beyond one subsystem and increases the chance of unintended disclosure between agents, tools, or tenants sharing the same filesystem.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Sensitive personal data including goals, motivations, blind spots, reports, and predictions is persisted into multiple memory tiers and later synced to other systems without any visible consent, minimization, or access-control checks in this file. This creates a clear confidentiality and secondary-use risk: deeply personal data can spread across subsystems and be retained beyond user expectations.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation instructs users to delete the memory directory as a reset operation without any warning about irreversible data loss, backup guidance at the point of deletion, or confirmation safeguards. In an agent skill context, destructive shell snippets are more dangerous because users or downstream automation may copy-paste them verbatim, causing accidental loss of stored user data.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The retention policy specifies long-lived and even permanent storage of workflow and user-related memories without any user-facing privacy notice, consent flow, or deletion policy. This is dangerous because persistent storage increases the blast radius of data exposure and creates compliance and trust risks when users are not informed how long their data is kept.

Missing User Warnings

High
Confidence
98% confidence
Finding
The module design uses user historical data plus emotional and state analysis to generate insights, but gives no warning that sensitive personal profiling may occur. This is dangerous because such inference can reveal mental state, habits, or behavioral trends, and users may unknowingly submit data into a system performing high-risk profiling.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The workflow explicitly includes cross-platform information collection and later modules include recording user history and operation steps, but the document provides no privacy notice, consent gating, data minimization rules, retention limits, or handling constraints. In a multi-agent system, this omission increases the chance that personal, behavioral, or account-linked data is collected and propagated between modules without users understanding the scope or downstream use.

Missing User Warnings

High
Confidence
96% confidence
Finding
The status-insight module describes building a historical user memory and analyzing energy allocation, growth trajectory, and emotional state, which amounts to sensitive personal profiling. Without explicit consent, purpose limitation, safeguards, and opt-out controls, this can expose deeply personal inferences, create privacy harm, and enable inappropriate psychological profiling or overcollection across sessions.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code persistently writes conversation-derived memory entries, including free-form `content`, to disk via `save()` with no consent flow, notice, retention control, or data minimization. In a multi-agent collaboration skill, this is risky because users may provide secrets, personal data, or proprietary project details that are silently retained and later accessible to other components or future runs.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
`backgroundExtract()` automatically classifies and stores entire `turnText` values whenever simple regexes match, causing silent persistence of whole user messages. This is dangerous because background processing may capture sensitive information far beyond the intended memory fact, and the user is not given an opportunity to review, redact, or decline storage.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code defines and updates a user profile containing behavioral and preference data such as skip habits, decision timing, recommendation acceptance, and workflow preferences, yet provides no notice, consent flow, retention policy, or access controls. In an agent skill context, hidden profiling can create privacy risk, enable covert behavior shaping, and violate user expectations or policy requirements if persisted or shared later.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code creates and updates persistent per-user profiles containing behavioral history and inferred adaptation settings without any visible consent, notice, retention control, or minimization. In a skill handling personal goals and self-awareness data, this increases privacy risk because sensitive behavioral patterns can be stored and reused silently across sessions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The weekly report function persists goal objects to long-term memory with tags and priority-derived weighting, but there is no visible user disclosure, consent check, or sensitivity filter. Because goals can contain intimate personal information, silent persistence creates privacy and secondary-use risks if memory is later queried, synced, or exposed to other subsystems.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal