ClawHub

Employee

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only framework for local AI employee profiles; its persistence and delegation risks are real but disclosed and mostly gated by user-controlled permissions.

Install only if you want persistent local AI worker profiles. Start employees in shadow or draft-only mode, keep fileAccess narrow, leave canSpawn/canMessage off unless needed, review ~/employee memory and logs periodically, avoid training on secrets or regulated data, and be careful before enabling auto-delegation or autonomous permissions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly defines persistent per-employee memory and work-history logs stored under the user's home directory, but it provides no notice, consent flow, retention limits, or guidance on handling sensitive data. In a system designed to create autonomous AI employees, this increases the chance that personal, proprietary, or regulated information will be retained indefinitely and later surfaced, reused, or exposed beyond the user's expectations.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The Train flow explicitly reads user-provided documents, extracts information, and appends it to persistent memory, but it does not warn the user that this data will be stored long-term or potentially reused in future tasks. In a skill centered on persistent AI employees, that omission is more dangerous because users may provide sensitive internal documents without understanding the retention and propagation implications.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The Assign Task section says the system will load config and memory, spawn a subagent, and execute tasks, but it does not disclose that delegated actions may read, modify, or otherwise affect user data or system state. Because this skill is specifically designed to create semi-autonomous workers with persistent context, silent delegation increases the risk of users triggering impactful actions without understanding the scope or side effects.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrase "{name}, do X" is extremely broad and resembles normal conversation, so it can be invoked unintentionally during discussion rather than as a deliberate command. In a skill that can spawn subagents and execute tasks, ambiguous invocation materially raises the chance of unintended task execution and downstream state changes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The routing flow explicitly injects persistent memory/context into subagents and logs task results, but the design shown here includes no user-consent, minimization, or warning step before data is shared across agents and persisted. In an employee-orchestration skill, this creates a real confidentiality and privacy risk because sensitive prompts, internal context, or user data may be propagated to additional models and stored in logs beyond the user's expectations.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal