ClawHub

Team Planner

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill plans multi-agent teamwork; its triggers are somewhat broad, but it does not execute code, access credentials, persist, or hide behavior.

Before installing, be aware that this skill may activate for generic team-planning language. Review any generated agent team and startup prompts before launching agents, keep each agent narrowly scoped, and avoid broadcasting secrets or unnecessary private data across multiple agents.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrases are broad and generic, such as 'plan a team' and 'design agent roles', without clear scoping to trusted contexts or explicit user intent verification. This increases the chance of accidental or overly eager invocation, which can cause the assistant to enter multi-agent planning mode when the user did not intend it, potentially expanding tool use, complexity, or downstream attack surface.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The skill metadata says it should trigger on broad phrases like planning a team, agent roles, collaboration, or any request for multi-agent coordination. That wide scope can cause the skill to activate for loosely related requests, leading to unintended routing and disclosure of unnecessary planning behavior. In this context it is mainly a safety/scoping issue rather than a direct exploit primitive.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The invocation guidance includes vague keywords such as 'team', 'multiple agents', 'parallel work', or 'agent coordination', which are common across many unrelated prompts. This increases the chance of accidental invocation and mis-scoping, potentially causing the wrong skill to steer the session or collect unnecessary task details.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal