ClawHub

Atlas Argos

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent ARGOS operator prompt, but it asks for broad system control, persistent automation, credential access, and external reporting that require careful review.

Install only in an ARGOS environment you own and are willing to let an agent administer. Before use, restrict filesystem, sudo, SSH, cron, background-process, credential, payment, and social-posting permissions; disable or narrow automatic Telegram reports unless the recipient, data categories, and redaction rules are explicitly approved.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill explicitly claims broad host powers including sudo, full filesystem, process control, crontab, network tools, and internet access, which substantially exceeds a narrowly scoped bot-operator role. In a prompt-driven agent, this creates dangerous authority expansion that can enable unauthorized system changes, persistence, lateral access to unrelated files, and abuse of host resources.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill authorizes autonomous external marketing activity across Telegram, X, Reddit, and future channels, including automated posting and growth tactics. While not intrinsically exploitative, this extends the agent into unsolicited external actions and reputation-affecting behavior beyond core system operation, increasing risk of spam, policy violations, or unintended disclosure.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to create persistent watchdogs and sub-agents that run continuously in the background using nohup and shell scripts. This introduces autonomous persistence and secondary execution surfaces that can outlive the session, making mistakes harder to observe, control, or revoke.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The document claims 'Segurança primeiro' and 'Nunca expor tokens, API keys, ou dados de users,' yet elsewhere instructs broad discovery and loading of .env secrets from /home and outbound notifications using those secrets. This contradiction is dangerous because the safety language may mask risky credential-handling behavior and normalize secret access without least privilege.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The 'Transparência total' requirement to notify everything conflicts with the promise not to expose tokens or user data, creating pressure to overshare sensitive operational or user information. In practice, such blanket reporting often leads to leakage of identifiers, payment status, or internal details through third-party messaging channels.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill directs the agent to read bot/admin credentials from .env files and immediately use them to send Telegram messages, without explicit user warning or consent for credential access and outbound transmission. This is risky because it combines secret retrieval with network exfiltration capabilities in a single embedded workflow.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill mandates persistent creation of local state, issues, payments, metrics, and changelog files, some of which can contain sensitive operational and payment information. Without clear disclosure, retention limits, or access controls, this can create unnecessary local data exposure and privacy risk.

Ssd 3

High
Confidence
99% confidence
Finding
The skill requires relaying essentially all actions, incidents, new users, and payment events to Félix via Telegram, including scheduled reports. This creates systematic third-party disclosure of operational and user-related data over an external service, increasing privacy, compliance, and confidentiality risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal