ClawHub
Back to skill

Security audit

Multi Agent Dev

Security checks across malware telemetry and agentic risk

Overview

No malware or deceptive behavior is evidenced, but the available scan notes suggest users should be careful before letting this development automation skill run commands or create directories.

Install only if you intend to use an agent-driven development workflow. Before use, specify the project directory and task explicitly, and review any proposed command execution or directory creation before allowing changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

High
Confidence
96% confidence
Finding
The trigger conditions are overly broad and include very common terms such as “开发”, “研发”, and “编码”, which can cause this skill to activate for routine conversations unrelated to the intended workflow. In a skill that can launch iterative agent-driven development commands, unintended activation increases the chance of unnecessary code changes, command execution, or escalation into multi-agent behavior without clear user intent.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The exception-handling guidance says a missing working directory should be automatically created or the user should be prompted, but it does not consistently require explicit confirmation before filesystem changes. In the context of a development automation skill, silent directory creation can lead to unintended writes in sensitive paths, confusion about execution context, or preparation for further automated modifications.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.