ClawHub

Huo15 Multi Agent

Security checks across malware telemetry and agentic risk

Overview

This multi-agent helper is not overtly malicious, but it needs Review because it can enable command-capable subagents and stores or deletes local worker data with weak safeguards.

Install only if you trust the publisher and actually need parallel subagents. Before use, reduce subagent permissions to the minimum needed, avoid secrets in task text, inspect ~/.openclaw/workspace/memory/activity/multi-agent for retained logs, and patch or avoid the shell scripts until worker IDs and user-provided strings are safely validated.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill describes capabilities that include reading files and managing state, but the front matter does not declare permissions or clearly bound those capabilities. In an agent ecosystem, hidden or undeclared file access increases the chance of users or orchestrators invoking the skill without understanding its effective authority, which can lead to unintended data exposure or writes.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The declared purpose is multi-agent coordination, but the finding indicates additional persistent storage of team/task/worker state and logs under the user's home directory, plus team-management behavior not disclosed in the description. That mismatch is dangerous because it conceals data retention and operational scope from the user, and the claimed sessions_spawn integration appears unsupported by the visible content, suggesting deceptive or at least materially incomplete documentation.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly shows subagents with allowlisted 'exec' and 'process' permissions, yet does not warn the user that multiple spawned agents may execute commands concurrently. This is dangerous because concurrent execution amplifies the chance of harmful actions, resource exhaustion, and unintended command effects, especially when users may assume the skill only summarizes or coordinates work.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script persists the full task string to a markdown log under the user's home directory without any warning, consent, redaction, or retention control. In a multi-agent workflow, task text may contain sensitive prompts, credentials, code snippets, or customer data, so silently storing it increases the risk of privacy leakage and unintended later disclosure.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script performs rm -rf on a path built from user-controlled worker_id without validating that input. An attacker or accidental user could supply traversal-style values such as ../../... and cause deletion outside the intended workers directory, leading to arbitrary file or directory removal under the user's privileges.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal