ClawHub

LoongFlow — PEES Iterative Agent

Security checks across malware telemetry and agentic risk

Overview

LoongFlow appears to be a real iterative optimization helper, but it grants broad background execution, monitoring, notification, and install authority that users should review before installing.

Install only if you are comfortable with an agent running iterative jobs in the background, modifying workspace files, installing code from a moving GitHub branch, reading LoongFlow task logs across configured workspaces, and sending progress summaries to a detected user. Use a dedicated workspace or branch, avoid exposing API keys, review created cron jobs, and confirm notification routing before starting tasks.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The instructions tell the agent to read `/root/.openclaw/openclaw.json` and use environment-derived identifiers to determine workspace context. That accesses local configuration and identity-related data beyond the minimum needed for a user-scoped optimization task, increasing the chance of unintended disclosure of filesystem layout, agent metadata, or user attribution in logs and downstream files.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The documentation instructs the agent to establish persistent cron-based monitoring and periodic user notifications, which goes beyond one-time task execution into ongoing autonomous behavior. Persistent scheduled actions expand the attack surface, can outlive the original user intent, and may create unauthorized background processing or repeated disclosure of task details.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill explicitly instructs a subagent to send completion notifications via infoflow_send and to ensure a shared monitoring cron exists for periodic progress messages. That creates an agent-initiated outbound messaging channel not clearly required for code optimization itself, increasing the chance of unsolicited notifications, data leakage in summaries, or abuse if task content is sensitive.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The workflow reads /root/.openclaw/openclaw.json, environment variables, and whoami output to derive workspace location and notification recipient. This expands the skill's access to host configuration and identity data beyond the narrow requirements of an iterative optimization loop, creating unnecessary exposure of local environment details and implicit recipient discovery.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger description is very broad: it activates on generic needs like optimization, iteration, or quality improvement, which are common across many unrelated coding tasks. In an agent harness, this can cause over-invocation of the skill, unexpectedly steering workflows into autonomous iterative execution, background subagents, or external framework setup when the user did not explicitly request LoongFlow.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The main usage instruction says to use the skill whenever a task needs repeated polishing, but it does not define boundaries or require explicit confirmation before escalating into the skill's specialized flow. Because the skill later introduces asynchronous subagents, persistent task tracking, and background monitoring, this ambiguity can lead to unintended autonomy and workflow changes beyond what the user expected.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The instructions explicitly print the beginning of `ANTHROPIC_API_KEY` to the terminal. Even partial secret disclosure is sensitive because it can leak into shell history, logs, screenshots, or shared terminal transcripts, and it normalizes unsafe credential handling practices.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The instructions persist task metadata into .loongflow/tasks.json, including task identifiers, workspace paths, status, scores, and notifyUser, without clearly warning the user that local state will be created and updated. While this is not inherently malicious, silent persistence can surprise users, expose sensitive task context, and leave residual metadata on disk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal