ClawHub

Auto Agent Router

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it needs review because it can route ordinary chat to sub-agents, log message content, and let chat input change future routing aliases.

Install only if you are comfortable with the skill influencing message handling and starting sub-agents from inferred keywords. Before use, consider disabling autoRoute, requiring explicit slash commands, removing generic aliases like assistant and bot, turning off automatic bot-name learning, and disabling or protecting /tmp content logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The skill claims to only route explicit slash commands, but the documented behavior expands into automatic routing, config reads/writes, log writes, prompt construction, and loading agent SOUL.md files. This mismatch is dangerous because reviewers and users may trust a narrow behavior model while the skill actually performs broader autonomous actions that can affect data flow, prompt context, and downstream agent execution.

Context-Inappropriate Capability

Low
Confidence
95% confidence
Finding
The handler writes raw log entries containing message-derived content to a local file in /tmp, which is inappropriate for a simple router and risks exposing sensitive chat data. /tmp is a shared, low-assurance location on many systems, and plain-text logs can be read, retained, or mishandled by other local processes or users depending on system configuration.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill description says routing should first honor explicit slash commands like /coder or /writer, but the configuration instead performs broad implicit keyword routing across many message types. This can cause unintended delegation based on ordinary conversation text, violating user intent and enabling prompt-driven agent switching without clear authorization.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The configuration expands routing to analyst, researcher, reviewer, and devops roles beyond the manifest's narrow router description. This increases the skill's authority surface and may route sensitive operational, research, or review requests into specialized agents the user did not knowingly invoke, especially risky for devops-style tasks.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The command parser performs an undocumented state-changing action by persisting any newly mentioned @name into local configuration. Because the name is derived directly from untrusted chat input, any user can poison the bot-name list, causing future messages to match unintended aliases and altering routing behavior without authorization or review.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The logger persists raw message content and related agent activity to /tmp, which goes beyond the skill's declared purpose of routing commands to sub-agents. Even truncated logs can contain sensitive user prompts, tasks, or outputs, and writing them to a shared temporary location increases the chance of unintended disclosure to other local users or processes.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The ability to read recent logs and delete logs is unrelated to the stated routing-only behavior and expands the skill's operational scope. Read access can expose previously captured sensitive data, while deletion can remove forensic evidence or audit trails after misuse or malfunction.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill exposes a /devops route that can spawn a privileged operational agent without any visible confirmation, safety gate, or warning about system-affecting actions. In an agent framework, this increases the chance that a user message or misroute leads to shell, infrastructure, or deployment operations being executed by a specialized child agent with broader operational impact.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This log line records user message content and sender identity without notice or consent, creating a privacy leak for potentially sensitive chat content. In the context of an auto-router handling arbitrary user messages, this is more dangerous because messages may contain credentials, personal data, or business information unrelated to routing.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code forwards the full original message and sender information into a spawned sub-agent task without any minimization or consent boundary. This expands access to sensitive user data beyond what may be necessary for routing and increases exposure if the child agent, its logs, or downstream integrations are less trusted.

Vague Triggers

Medium
Confidence
93% confidence
Finding
Generic bot names such as assistant, bot, 助手, and similar aliases are likely to match normal conversation and accidentally activate the skill. This raises the chance of unintended routing and makes it easier for an attacker or stray prompt text to trigger the router when the user did not mean to invoke it.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The keyword lists include broad terms like 代码, 写个, 分析, 配置, 搜索, and 优化 without contextual constraints, so many benign messages could match and trigger specialized agents. In an auto-routing skill, this increases the risk of misclassification, unintended tool use, and escalation into more capable sub-agents based on ambiguous language.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
These helper functions explicitly log user message excerpts, agent task content, and agent result content without any consent, redaction, or sensitivity filtering. In an agent-routing context, those fields are especially likely to contain secrets, private data, or proprietary prompts, so the logging materially increases privacy and data-handling risk.

Ssd 3

Medium
Confidence
97% confidence
Finding
Persistently logging natural-language user messages and sender details creates a direct data leakage path because sensitive information is stored in recoverable plain text. In a routing skill, this is especially risky because the feature's core purpose does not require retaining complete user utterances, so the exposure is unnecessary and avoidable.

Ssd 3

Medium
Confidence
95% confidence
Finding
Embedding the full user message in delegated instructions unnecessarily propagates potentially sensitive data to another processing context. This broadens the attack surface and can lead to secondary leakage through the spawned agent's prompts, outputs, logs, or connected tools.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal