ClawHub

Genor's Project Orchestration

Security checks across malware telemetry and agentic risk

Overview

The skill’s project-orchestration purpose is mostly coherent, but it asks for broad local project discovery, persistent logging, optional scheduled execution, and starts an unauthenticated dashboard exposed on all network interfaces.

Install only if you are comfortable with an orchestration skill that writes persistent project/session files, probes model providers, and may inspect local project directories. Set a dedicated ORCHESTRATOR_DATA_DIR, avoid logging secrets or full connection strings, approve project discovery one path at a time, do not enable cron unless you want recurring network checks, and run the dashboard only on trusted networks or after changing it to bind to localhost.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (16)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill advertises and instructs use of shell, environment-variable, and network-capable operations, but the manifest does not declare corresponding permissions or safety boundaries. This creates a transparency and consent problem: users or hosting platforms cannot accurately assess that the skill may execute local scripts, read environment configuration, and contact external services.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The onboarding flow directs the agent to search broad user locations such as ~/projects, ~/code, ~/src, and any .planning/ or .git directories. That expands access beyond the skill's own data directory and can expose unrelated repositories and sensitive source trees without a narrowly scoped, explicit consent boundary. In an agent setting, filesystem discovery instructions are especially risky because they can convert a simple setup action into bulk enumeration of private user data.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The README instructs the agent to install a nightly cron job for price checks, which creates persistence and scheduled execution on the host. Persistence mechanisms are security-sensitive because they extend the skill's behavior beyond the current session and may continue making network requests or running scripts without ongoing user awareness. In a documentation-driven agent, normalizing cron installation increases the chance of unreviewed background execution.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The dashboard serves potentially sensitive orchestration data over HTTP and explicitly enables cross-origin access with `Access-Control-Allow-Origin: *`. Combined with binding the server to `0.0.0.0`, this broadens exposure beyond a local debugging tool and can allow any website or network-reachable client to read session, model, and status data if the service is reachable from a browser or adjacent network.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The script explicitly tells the LLM to perform project discovery by checking broad home-directory locations such as ~/projects and ~/code. That expands the onboarding scope from provider/model setup into filesystem enumeration of potentially unrelated user data, which can lead to over-collection of sensitive repository names, paths, and metadata without clear necessity or consent.

Context-Inappropriate Capability

Low
Confidence
76% confidence
Finding
The onboarding helper directs the LLM to ask about cron setup for nightly price checks, introducing persistence/system scheduling beyond simple initialization. Even though it does not install cron itself here, this guidance encourages creation of recurring background behavior that may surprise users and increase attack surface if later automated without strong consent boundaries.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The example invocation "Start project MyThing" is broad natural-language phrasing that can overlap with ordinary conversation, increasing the chance that the skill triggers onboarding actions unintentionally. Ambiguous activation is dangerous for an agent because it can lead to unexpected file creation, scanning, logging, or other side effects from casual user text. In this skill, those side effects are substantial enough to treat loose trigger phrasing as a real safety issue.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The project-onboarding trigger examples are similarly ambiguous and can cause the agent to start modifying project state based on loosely phrased user requests. Because onboarding here creates planning files, logs sessions, and may inspect repositories, accidental invocation can produce privacy-impacting reads and unintended writes. The skill context makes this more dangerous because onboarding is not a read-only action.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation tells the agent to inspect common user directories and repositories without a clear privacy warning or a consent model tied to a specific path. Even if intended for convenience, that normalizes broad discovery of potentially sensitive code and metadata. In an orchestration skill, this is particularly risky because users may not expect setup to enumerate unrelated projects under their home directory.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The architecture documentation step explicitly calls for recording environment variables, database URLs, and external service dependencies in project documentation. Without a warning or filtering guidance, this can lead the agent to persist secrets or sensitive infrastructure details into markdown files and long-lived orchestrator state. That creates a durable exposure risk because these files may be committed, shared, or indexed later.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This section tells users to run onboarding and project-init scripts that create directories and write planning/orchestration files, but it does not clearly warn that these commands will modify the filesystem. In an agent setting, that omission can lead to unexpected writes in user workspaces or adjacent data directories, especially because the default data path points outside the skill root.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The listed scripts include actions such as probing providers, testing model endpoints, checking prices, and starting a dashboard, all of which may initiate network connections or expose local services. Without explicit notice, users may unintentionally transmit configuration details, hit third-party APIs, or bind a local web interface in environments where such activity is sensitive.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The startup output advertises the local URL and data path override but does not clearly warn that the server listens on all interfaces and exposes orchestration data over the network. In this skill context, the dashboard is for debugging, so the lack of a prominent disclosure warning increases the chance that operators unintentionally expose sensitive operational data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This script persistently stores full session notes and optional context to disk, including arbitrary content from --context or --context-file, without any warning, consent mechanism, redaction, or sensitivity checks. In a project orchestration skill, those fields can easily contain secrets, proprietary code, internal decisions, or user data, so the persistence behavior increases risk of unintended data retention and later disclosure.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The script writes files under the orchestrator data directory and may execute a secondary script, discover-models.sh, without an upfront confirmation prompt. In a skill context where execution may be agent-driven, this can cause unintended state changes or execution of additional logic before the user has clearly approved those actions.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The script probes both an external service (openrouter.ai) and a local service (localhost:1234) as part of discovery, but the user-facing banner does not clearly disclose that network checks will be performed. Silent probing can leak metadata about the environment and may violate user expectations in restricted or privacy-sensitive setups.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal