ClawHub

Parallel Task Executor

Security checks across malware telemetry and agentic risk

Overview

This skill is an instruction-only parallel task runner, but it encourages broad file, shell, network, API, and database actions to run automatically and concurrently without clear safety controls.

Install only if you intentionally want an agent to coordinate multiple tool-using tasks. Require the agent to show the planned task list first, and approve deletes, writes, uploads, shell/script execution, API mutations, database actions, retries, and background work explicitly. Use narrow directory, command, account, and domain limits wherever possible.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This section explicitly supports file operations, browser actions, shell/script execution, network requests, and database queries, then describes an execution flow that automatically parses commands and executes them in parallel. Because there is no requirement for user confirmation, permission checks, scope restriction, or safety gating before destructive or system-affecting actions, the skill can amplify harmful user input into multiple concurrent side effects.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The examples normalize automatic execution of creating files, downloading files, and deleting temporary files, all presented as succeeding without warnings or confirmation. In a parallel task executor, such examples are more dangerous because they encourage batching potentially destructive operations and imply that side effects should occur immediately once parsed.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal