ClawHub

Boss

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed automated coding-and-deployment skill, but it can make broad project and environment changes with weak confirmation boundaries.

Install only if you want a highly autonomous coding workflow. Use it in a clean branch or sandbox, avoid `--quick` for important projects, use `--skip-deploy` unless deployment is explicitly intended, and require approval before dependency installs, Docker/service startup, global package installs, or production-affecting commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (12)

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger set includes very broad natural-language phrases such as '帮我做一个', 'build this', 'ship it', '全流程', and 'new feature', which can easily appear in ordinary conversation and unintentionally activate a highly privileged automation workflow. In this skill's context, accidental invocation is more dangerous because the documented behavior spans end-to-end planning, code generation, testing, deployment, and URL delivery, so a false trigger could launch substantial autonomous actions without clear user consent.

Missing User Warnings

High
Confidence
98% confidence
Finding
The design emphasizes '一键完成从需求到部署' and '无需人工干预' but does not present any user-facing warning about repository modification, code execution, test runs, infrastructure changes, deployment, or external exposure via a returned URL. Because this skill orchestrates a full SDLC pipeline and includes deployment and health checks, omission of explicit warnings and consent boundaries materially increases the risk of unexpected destructive or externally visible actions.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger list includes very broad natural-language phrases such as '帮我做一个', 'build this', 'ship it', 'start a project', and 'new feature', which can match ordinary user requests that do not clearly indicate consent for a highly autonomous multi-agent workflow. In this skill's context, accidental activation is more dangerous because the workflow can generate artifacts, modify a codebase, and potentially proceed toward deployment with limited friction, especially when combined with automation flags like '--quick'.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README advertises a full pipeline 'from requirements to deployment' and documents writing artifacts into '.boss/<feature>/' plus a deployment stage, but it does not present a prominent user-facing warning about filesystem modification, service changes, secrets exposure risk, or infrastructure impact. In an orchestration skill that spans development, QA, and DevOps, missing safety disclosures and guardrails materially increase the chance that users trigger impactful actions without understanding the consequences.

Vague Triggers

High
Confidence
93% confidence
Finding
The trigger list is extremely broad, including phrases like '帮我做一个', 'build this', 'ship it', 'start a project', and 'new feature', which can match ordinary user requests that do not imply consent for a powerful autonomous pipeline. In this context, accidental activation is dangerous because the skill is designed to orchestrate multi-agent development, write files, and potentially deploy software with limited additional confirmation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly advertises '全自动执行' and later instructs saving artifacts to disk and performing deployment, yet it does not present a strong upfront warning about filesystem and environment impact. In an agent setting, automatic writing to `.boss/<feature>/` and optional deployment can change repositories or systems in ways the user may not expect, especially when combined with broad triggers and the `--quick` mode that skips confirmations.

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
The skill mandates that all output must be in Chinese, removing user choice and potentially obscuring security-relevant warnings or reviewability for users who do not read Chinese. This is primarily a policy/usability risk rather than a direct exploit primitive, but in an agentic workflow it can reduce oversight and increase the chance that unsafe actions are approved without informed consent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
该技能明确要求进行环境配置、依赖安装、构建、启动服务和健康检查,但没有要求先征得用户确认,也没有提示这些操作会修改系统、安装软件、启动长时间运行进程或暴露本地网络服务。在具备 Bash/Write 等工具权限的代理环境中,这会导致代理直接执行具有副作用的部署操作,增加误改环境、资源占用和意外暴露服务的风险。

Missing User Warnings

Medium
Confidence
95% confidence
Finding
部署策略表直接给出如 npm run dev、npm start、python app.py、docker-compose up -d、npx serve 等命令,并暗示默认端口对外提供访问,但没有任何关于网络暴露、后台进程、资源消耗或开发服务器不适合生产环境的警示。若代理自动按此执行,可能导致在错误环境中启动服务、开放监听端口,甚至拉起容器和后台进程,扩大攻击面。

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The skill unconditionally requires all outputs to be in Chinese, overriding user preference and potentially system or higher-level task expectations. In a multi-agent orchestration context, this can cause downstream agents, tools, or users to misunderstand results, leading to workflow errors, unsafe assumptions, or failure to surface critical information in the required language.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document explicitly promotes a fully automated, no-confirmation workflow from requirements through deployment, which can normalize unsafe agent behavior such as writing files, changing code, and deploying services without explicit user consent. In the context of an orchestration skill triggered by broad phrases like 'build this' or 'ship it', this increases the chance of unintended destructive actions or public exposure of artifacts.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The deployment section describes producing a deploy report and an accessible URL but omits any warning about external side effects, credential use, infrastructure changes, cost, or data exposure. For an agent skill whose purpose is end-to-end automation, this can lead operators to authorize or trigger deployment behavior without understanding that it may publish an application or alter live environments.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal