ClawHub

Autonomous Agent CEO Architecture by Emergence

Security checks across malware telemetry and agentic risk

Overview

This is a coherent autonomous GitHub agent setup, but it needs Review because it runs continuously with credentials and can modify repository state without well-defined safety gates.

Install only in a controlled test or low-risk repository first. Use a dedicated GitHub bot or fine-grained token with minimum repository access, protect branches, require PR review, keep .env out of version control, restrict file permissions, monitor cron output, and avoid giving the agent production deployment, billing, or broad organization credentials unless you add explicit approval gates.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (9)

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The file gives conflicting authority boundaries: the agent is described as the 'CEO and Strategy Engine' that reads strategic intent and drives execution, while the human section says humans handle strategy and judgment. In an autonomous multi-agent system, this ambiguity can cause the agent to exceed intended authority, reinterpret approvals, or make strategic decisions without clear human sign-off, increasing the risk of unsafe autonomous actions.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The scheduled workflow is explicitly designed to post analysis comments on GitHub issues and modify MEMORY.md autonomously, but the file provides no user-facing warning, approval gate, or audit-oriented safeguard around those write actions. In a 24/7 autonomous multi-agent architecture, silent recurring writes increase the risk of unauthorized repository changes, confusing issue activity, and unintended persistence of sensitive or low-quality strategic content.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The skill asks users to supply API keys and GitHub repository information to an autonomous, continuously running agent system without a prominent security warning about credential scope, storage, and risk. In this context, long-lived credentials given to a 24/7 autonomous process increase the chance of misuse, over-permissioning, or accidental exposure through logs, issues, or generated files.

Missing User Warnings

Low
Confidence
78% confidence
Finding
The skill states that it maintains organizational memory in MEMORY.md but does not clearly disclose that it writes persistent state to a file. In an autonomous 24/7 agent context, undocumented persistent writes can lead to silent data modification, prompt/context poisoning, leakage of sensitive operational details, or corruption of future decision-making state.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The quickstart directs users to store sensitive LLM API keys and optionally a GitHub token in a local .env file, but provides no guidance on preventing accidental disclosure through version control, file permissions, backups, logs, or screenshots. In this skill's context, the risk is heightened because it encourages running a long-lived autonomous agent with GitHub access on a VM, so leaked credentials could enable repository compromise, unauthorized API usage, and persistence in an always-on environment.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The guide instructs users to create a .env file containing LLM API keys and GitHub information, but it does not warn that these values are sensitive, should never be committed, and must be protected on a continuously running VPS. In this skill context, the risk is elevated because the repository is shared between a laptop and autonomous agents using GitHub as shared state, increasing the chance of accidental exposure through commits, logs, backups, or overly broad filesystem access.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The instructions tell users to run gh auth login on both the VPS and laptop without warning that the resulting credentials can grant repository write access and may be usable by autonomous agents running on the server. In this architecture, unattended agents, cron jobs, and shared GitHub state make token misuse more dangerous because a compromised host or misconfigured agent could open issues, push code, or alter project state at scale.

Credential Access

High
Category
Privilege Escalation
Content
./scripts/scaffold.sh /path/to/your/workspace

# 3. Configure your environment
cp .env.example .env
# Edit .env with your LLM API key and GitHub repo info

# 4. Start the agent (choose your runtime)
Confidence
74% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
# 3. Configure your environment
cp .env.example .env
# Edit .env with your LLM API key and GitHub repo info

# 4. Start the agent (choose your runtime)
# openclaw gateway start          # OpenClaw
Confidence
72% confidence
Finding
.env

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal