ClawHub
Back to skill

Security audit

orchestrator-v4

Security checks across malware telemetry and agentic risk

Overview

This skill is a real multi-agent project orchestrator, but it can automatically scan projects, spawn same-permission workers, and run batch fixes without strong user confirmation or rollback controls.

Install only if you intentionally want multi-agent automation over a codebase. Use it in version-controlled workspaces, review the generated plan before dispatch, require manual approval for fix mode, inspect diffs after each batch, avoid running it over secrets-heavy directories, and disable or clear checkpoints/logs if persistent task context is not acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill documents shell execution, filesystem scanning, file reads, and file writes, but no explicit permission declaration is present. That creates a capability/transparency gap: a host or user may invoke a skill with broader operational access than is obvious from its manifest, increasing the chance of unintended code execution or project modification.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The documented behavior materially exceeds the declared purpose: beyond orchestration, it includes autonomous auditing, retries, checkpoint persistence, health monitoring, subprocess bridge management, and broad local filesystem inspection. This mismatch is dangerous because reviewers and users may underestimate the real trust boundary and allow a skill that can persist state, spawn local processes, and inspect or modify a large codebase.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill is presented primarily as an orchestrator, but the repair mode enables batch code-fix execution that can create or modify project files. That hidden expansion from coordination to direct mutation increases the risk of unauthorized or unexpected code changes, especially when combined with automated task generation and parallel workers.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The code explicitly builds the child environment from os.environ and forwards it wholesale into every spawned subprocess. In an orchestrator context, worker subprocesses may be less trusted or may handle generated code, so inheriting all parent secrets and tokens can expose API keys, cloud credentials, repository tokens, and other sensitive runtime context to the child process.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The orchestrator advertises general worker tool availability including `shell_exec` and `code_execution`, which materially expands what spawned workers may do beyond simple task routing. In an orchestration skill, exposing arbitrary execution primitives without explicit least-privilege gating can let prompt-influenced workers run commands, modify the workspace, or pivot into sensitive local resources.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The long-task keyword list includes `渗透测试`/penetration-testing style work, meaning the orchestrator may classify and facilitate offensive security activity as a supported workload. Because this skill's stated purpose is generic orchestration, not authorized security testing, this broadens the operational scope into higher-risk behavior without visible policy or consent checks.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The resume-with-redirect logic claims to clear running tasks, but only updates internal bookkeeping to `cancelled` and does not actually terminate the spawned subagents. This creates a dangerous mismatch where users or higher-level controls may believe prior work stopped while background workers continue processing old instructions, potentially reading files or producing outputs under stale intent.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The trigger conditions are extremely broad, covering complex tasks, analysis, code generation, debugging, research, and any need for scheduling workers. Overbroad activation can cause the skill to be selected for ordinary requests where users did not intend parallel spawning, shell use, scanning, or file modification, raising the likelihood of unnecessary exposure to powerful capabilities.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The monitor logs and exposes `session_key` values through both `register()` logging and `poke()` responses. Session keys are authentication or correlation secrets in many agent orchestration systems, so leaking them to logs or broad status APIs can enable session hijacking, unauthorized tracking, or lateral access if logs are accessible to operators, other tenants, or downstream tooling. In this orchestrator context, the issue is more dangerous because the component centrally tracks multiple child agents, making it a high-value aggregation point for sensitive identifiers.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The slow/fast prompt builders include conversation history, requirements, constraints, available tools, and file contents, and those are forwarded wholesale into sub-agent tasks. In an orchestration skill, this can cause unnecessary propagation of sensitive user data, secrets, proprietary code, or prior instructions to spawned agents without minimization, consent, or clear disclosure, increasing prompt-injection and data-exposure risk across agent boundaries.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This code silently forwards the full parent environment to spawned subprocesses with no warning or consent mechanism. Even if the subprocess is intended, lack of transparency increases the chance that operators unknowingly leak credentials and contextual data into child processes, especially in an AI-worker orchestration system where task execution may be dynamic.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
Sub-agent execution is initiated automatically, with no user-facing notice or confirmation before work is delegated to isolated workers. In this skill, spawning can lead to additional file access, tool use, and persistence behaviors, so silent delegation undermines informed consent and increases the chance of unintended actions.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
`scan_task_scope` can recursively enumerate project files and open them to count lines and classify language, all without visible disclosure or consent flow. In practice this means a natural-language request can trigger broad workspace inspection, including sensitive config material such as `.env` and `.ini`, which is especially risky in an orchestrator that may forward derived context to other workers.

Ssd 3

Medium
Confidence
97% confidence
Finding
The orchestrator persistently checkpoints conversation history and request context to disk and can automatically reload them on startup. That creates durable storage of user-provided natural-language content, increasing exposure of sensitive prompts, code, secrets, and prior context beyond the originating session.

Ssd 3

Medium
Confidence
90% confidence
Finding
The context manager intentionally injects recent user and assistant messages into future prompts, which can cause prior sensitive inputs to be resurfaced or propagated to subsequent workers. In an orchestrator that spawns subagents, this increases the chance that earlier secrets or confidential instructions leak across task boundaries.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

No suspicious patterns detected.