ClawHub

Workflow

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only workflow skill, but one webhook example can be copied into a remotely triggerable local script runner without adequate path allowlisting or completed validation.

Install only if you are comfortable treating this as workflow-authoring guidance that must be reviewed before execution. Do not expose the webhook example as written; add strict workflow-name allowlisting, resolved-path checks, signature and timestamp verification, and explicit user approval before running any selected workflow. Use least-privilege tokens, review generated run.sh files with dry-run first, and replace broad cron/removal/deletion examples with scoped, reversible procedures.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill instructs users to modify the host crontab directly, which expands the skill from workflow composition into host-level persistence and scheduling. In an agent context, this is dangerous because it normalizes establishing recurring execution outside the workflow system's own controls, audit boundaries, and approval paths.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The archiving guidance includes a command to rewrite the user's crontab, which is a host-administration action outside the stated workflow-building scope. Such commands can disable unrelated jobs if the pattern match is broad or manipulated, and they encourage agent-driven persistence management on the host.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The webhook router example derives WORKFLOW directly from the request path and uses it in file-write and execution paths without any sanitization or allowlisting. An attacker can potentially use path traversal or unexpected workflow names to write files outside the intended directory and trigger arbitrary local scripts, which is significantly more dangerous than a mere disclosure issue.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The cleanup examples include deletion operations that can remove intermediate or old JSON files automatically, including via a trap on EXIT. In a workflow skill, users may adapt these snippets directly, and without warnings or safer guards this can cause unintended data loss, especially if path assumptions change or valuable artifacts are stored in the same directory.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation includes an alerting example that sends secrets and workflow failure details to an external service, but it does not warn about secret handling, message content sensitivity, or data minimization. In a workflow skill, users may copy these patterns directly, which can lead to unintentional transmission of credentials or sensitive operational data to third parties.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The notification step sends data to an external service without any explicit warning, consent checkpoint, or data-classification guidance. In a reusable workflow skill, this can lead users to transmit operational data off-host or to third parties without understanding that an outbound disclosure occurs.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The recovery guidance includes destructive deletion of all workflow state without an explicit safety warning, confirmation step, or scope guard. In an automation context, operators may copy this command directly, causing unintended data loss, forced reprocessing, or disruption if the state directory is mis-scoped or contains important progress data.

Tool Parameter Abuse

High
Category
Tool Misuse
Content
```bash
# Reset and re-scan
reset_state() {
  rm -rf state/*
  echo '{}' > state/cursor.json
  echo '{"seen":[]}' > state/seen.json
  log "state" "reset" "\"reason\":\"manual recovery\""
Confidence
93% confidence
Finding
rm -rf state/

Tool Parameter Abuse

High
Category
Tool Misuse
Content
Document recovery procedure in flow.md:
```markdown
## Recovery
If state corrupted: `rm -rf state/*` and re-run. 
Will reprocess all items (idempotent operations safe).
```
Confidence
91% confidence
Finding
rm -rf state/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal