ClawHub

Agent Orchestrator

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed coding-agent orchestrator, but users should understand that approved agents can work in repositories, use GitHub credentials, and keep running in worktrees.

Install only if you trust the local AO binary and the GitHub account authenticated in gh. Use least-privilege GitHub credentials, set spending limits on the Anthropic key, keep secrets out of agent worktrees, and review each proposed spawn or batch spawn before approving it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The security section materially understates AO's capabilities by claiming it does not read, write, or transmit code, while the rest of the skill explicitly instructs the model to spawn coding agents, create git worktrees, modify code, and open PRs. This kind of misleading documentation can cause operators to grant trust or permissions under false assumptions, increasing the chance of unintended code access or repository modification.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The skill maps broad, natural-language phrases such as 'what's happening', 'morning', 'ready to work', or 'check my repos' directly to live AO tool calls. Overbroad activation criteria increase the risk that routine conversation or ambiguous user input will trigger repository, issue, or session queries without sufficiently clear user intent.

Vague Triggers

High
Confidence
97% confidence
Finding
The coding-action trigger list includes extremely generic confirmations like 'sure', 'yes', 'go ahead', and 'do it', and states that any coding-related request should map to `ao_spawn`. In multi-turn conversations, these vague replies could be misbound to a prior suggestion and cause unintended agent spawning, leading to unapproved code changes, branch creation, PRs, or external API/GitHub activity.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal