ClawHub

Agent OS (Three Layer)

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed local Agent OS template; its main risks are broad persona and memory instructions, not hidden malware or data theft.

Install this only if you want an opinionated agent-architecture template with persistent memory files and a CEO-style operating mode. Before using it for real work, review the shell scripts, make memory writes explicit, avoid storing secrets or sensitive personal data in MEMORY.md, and narrow role/agent activation rules to commands you intentionally invoke.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger condition for the 'simplify' agent is defined only as 'code change detection', which is overly broad and can cause the agent to run on unrelated or sensitive modifications without explicit user intent. In an agent orchestration context, vague activation boundaries increase the chance of unintended autonomous actions such as code review, refactoring, or automatic fixes being applied where they are not appropriate.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The 'agent-os' agent is triggered by generic 'architecture-related requests', which lacks clear technical boundaries and leaves too much room for subjective matching. Because this agent can validate integrity, perform upgrades, and coordinate cross-layer operations, ambiguous invocation could lead to unauthorized or accidental high-impact changes across the system.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The learning loop explicitly states that after every conversation the system should extract learnings and update MEMORY.md automatically, without any notice, consent, approval gate, or data-sensitivity restriction. This is dangerous because it enables silent persistence of user-derived content, which can store sensitive information, create privacy violations, and poison future agent behavior through unreviewed memory writes.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The activation condition is broad enough that ordinary mentions of 'CEO' or '马斯克风格' could unintentionally switch the agent into a dominant executive mode without clear user consent. That can override expected behavior, change tone and decision framing, and cause the system to act with unwarranted authority or urgency in unrelated contexts.

Natural-Language Policy Violations

Medium
Confidence
83% confidence
Finding
The skill enforces a specific persona and communication style, including Chinese phrasing and an Elon/CEO framing, without offering user choice or a justified requirement. While not directly enabling code execution or data exfiltration, it can reduce user control, create misleading authority signals, and increase the chance of inappropriate responses when the user's language, locale, or task expectations differ.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal