ClawHub

long-run-harness

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed developer skill for creating an automated app-building harness; it has powerful expected behavior, but I found no hidden exfiltration, destructive payload, or deceptive install mechanism.

Install only if you want an autonomous development harness that can write files, run commands, call LLM providers, evaluate local apps, and optionally create git checkpoints. Use throwaway or clearly scoped workspaces, provide only the API keys needed for the selected backend, avoid real production URLs for evaluation, and review generated config before running full-auto modes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (6)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs users to export an API key using an inline example that resembles a real secret (`export ANTHROPIC_API_KEY=sk-...`) without an explicit warning to use their own credential securely and avoid committing or logging it. In a long-running harness/orchestrator context, users are likely to copy-paste setup commands directly, which increases the chance of unsafe secret handling, shell history leakage, or accidental inclusion in scripts and logs.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The file documents a generator path using `--approval-mode full-auto` where the model can perform file writes and shell actions, but it does not pair that with a clear, high-visibility warning about the resulting system and data impact. Users may enable an autonomous backend without understanding that it can execute commands and mutate the workspace, increasing the chance of destructive or unsafe runs.

Missing User Warnings

Low
Confidence
85% confidence
Finding
The evaluator instructions tell Codex to run shell commands and HTTP requests against `app_url` without clearly warning about outbound network activity, possible interaction with real services, or side effects from hitting mutable endpoints. In a harness that may be pointed at non-test environments, this omission can lead to accidental data exposure or unintended state changes.

Missing User Warnings

Low
Confidence
81% confidence
Finding
The documentation instructs users to supply a backend API key via environment variables for the Deepcode/DeepSeek path, but it does not warn that credentials will be exposed to a third-party provider or may be inherited by subprocesses, logs, or misconfigured environments. In a multi-agent harness that can run external tooling, missing privacy and credential-handling guidance increases the chance of accidental secret disclosure.

Natural-Language Policy Violations

Medium
Confidence
79% confidence
Finding
The config explicitly states that strategic_decision() always uses Claude and is not swappable, which overrides user backend choice for a reasoning step that may process project context, artifacts, or sensitive data. Forcing a provider without explicit opt-in can create unintended data egress and compliance issues, especially in long-running orchestration over proprietary codebases.

Natural-Language Policy Violations

Medium
Confidence
80% confidence
Finding
The configuration hardcodes self_assess() to always call Claude even when the generator uses a different backend, creating an implicit secondary provider data flow. This can surprise users and leak generated code, prompts, or evaluation context to a provider they did not intend to use.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal