ClawHub

Ai Collab

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed multi-agent collaboration system, but it gives persistent agents broad authority with weak boundaries around approvals, external messages, logs, and financial actions.

Install only if you intentionally want a persistent autonomous second-agent system. Before using it, remove or disable the financial protocol, avoid the no-permission workflow prompt, restrict permissions on the inbox and chat log, do not use blind tmux approvals, and treat Telegram/OpenAI/Claude forwarding as external data sharing that needs explicit consent and monitoring.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (16)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The optional Telegram bridge materially expands the skill from local agent collaboration into external message ingestion using bot credentials and a network API. That increases attack surface, introduces privacy and token-handling risks, and allows untrusted third-party content to flow into the agent system without strong validation or isolation.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Financial authorization and transaction-gating logic is out of scope for an agent-collaboration skill and normalizes agent participation in monetary actions. Even with tiers, the design explicitly permits autonomous low-value actions and creates a pathway for prompt-driven financial operations based on loosely parsed natural-language amounts and tags.

Intent-Code Divergence

Medium
Confidence
82% confidence
Finding
The skill both recommends tmux send-keys automation and later warns against it, which can cause operators to deploy unsafe blind keystroke injection anyway. In this context, send-keys can target the wrong session or terminal state and accidentally approve commands or trigger unintended execution in a persistent agent environment.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The file extends a collaboration skill into a Telegram ingestion bridge that introduces external messaging, bot administration, and credential management. That materially expands the attack surface and data exposure beyond simple local agent-to-agent coordination, especially because group messages are being imported into an autonomous daemon workflow.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The continuously running polling loop gives the skill a persistent external communications channel and autonomous message intake capability. In the context of an agent daemon, this can enable unattended prompt injection, abuse of the daemon workflow, and unintended exfiltration or actioning based on remote messages.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill centers on storing all inter-agent messages in a shared log yet does not prominently warn users that sensitive prompts, outputs, or secrets may be recorded and later replayed. In a collaboration skill, this omission is dangerous because logging is core behavior and can silently persist confidential content across agents and sessions.

Missing User Warnings

High
Confidence
96% confidence
Finding
The Telegram bridge instructs users to disable privacy mode so the bot can read all group messages, but does not provide a strong, prominent warning about collection, consent, retention, or exposure. This creates a high-risk surveillance-style ingestion path for third-party communications into the agent workflow.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This example sends arbitrary task content from the local agent workflow to the OpenAI API, but the documentation does not warn users that prompts, code, or other potentially sensitive data will leave the local environment and be processed by a third party. In a collaboration/daemon setup, this increases the chance that source code, secrets, or internal notes are routinely forwarded externally without informed consent or data-classification checks.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The prompt explicitly instructs an agent to append data to a persistent local file under the user's home directory after every step, without any warning, consent boundary, or limitation on what may be logged. In an autonomous multi-agent setting, this can modify user data, create unintended persistence, and leak sensitive task details into a shared log that other agents or processes may read.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The text normalizes autonomous use of the filesystem, shell, and browser while telling the agent to proceed without asking permission, which increases the chance of impactful real-world actions without meaningful user awareness. In a collaboration skill designed to run parallel agents, this broad operational authority materially raises the risk of unintended system changes, web actions, or data exposure.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The instructions tell the operator to disable Telegram group privacy without prominently warning that the bot will be able to read all group traffic, including bystanders' messages, and that messages are stored locally in logs. This creates privacy and compliance risk because users in the group may not understand that their content is being monitored and retained.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Untrusted inbox messages are logged to disk and forwarded verbatim into `claude --print`, and the resulting model output is then sent into `openclaw agent`. This creates a prompt-injection and data-handling risk: any actor able to write to the inbox can cause sensitive content to be persisted, influence downstream agent behavior, and potentially trigger unintended actions through the relayed response path.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script automatically reads untrusted content from a shared chat log and forwards it into another agent's input channel without validation, consent, or any user-visible disclosure. In a multi-agent collaboration skill, this creates a prompt-injection and unintended data-flow path: anyone or any process able to append to the log can influence the primary agent, potentially causing unsafe actions, confusion, or leakage of context across agents.

Ssd 3

High
Confidence
97% confidence
Finding
The design records arbitrary inter-agent content into a shared chat log and routes responses back into another agent, creating a built-in data exfiltration and replay channel. Any sensitive user input, credentials, file contents, or prompt artifacts that enter the collaboration stream can be persistently stored and propagated to another model or process.

Ssd 3

High
Confidence
98% confidence
Finding
The daemon prompt explicitly passes the chat log location as collaboration context while also embedding arbitrary incoming message text into the secondary model prompt. In practice, this broadens disclosure to another model/process and encourages cross-task leakage of prior conversation state, including potentially sensitive material never needed for the current task.

Ssd 3

High
Confidence
97% confidence
Finding
The Telegram bridge creates a direct collection pipeline from user/group communications into the agent inbox, where messages can then be logged, processed, and forwarded. This is especially dangerous because the content originates from external parties who may not expect their messages to be ingested by autonomous agents or secondary models.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal