ClawHub

Ai Company V1.0.4 Temp

Security checks across malware telemetry and agentic risk

Overview

The skill is a broad enterprise-operations package with disclosed high-impact capabilities, but it also contains under-scoped automatic writes, silent setup instructions, auto-update behavior, and broad triggers that warrant manual review before installation.

Install only if you intend to use a broad enterprise orchestration skill and are comfortable reviewing its actions. Before enabling it, disable or require approval for auto-updates, require confirmation before any file writes or external-system mutations, constrain triggers to explicit commands, keep all persistence under the workspace, and avoid giving it real OAuth tokens, financial authority, deployment authority, or sensitive business data until those controls are in place.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (27)

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The skill explicitly instructs silent filesystem setup without user confirmation or disclosure. Hidden side effects are dangerous because they let the agent create directories and files under the workspace based on a vague request, violating user expectations and enabling stealthy persistence or unauthorized state changes.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The document claims all paths must remain under WORKSPACE_ROOT, but then mandates writes to hard-coded absolute paths. That contradiction can cause unauthorized writes outside the approved workspace boundary, undermining containment assumptions and potentially exposing or corrupting host-local data.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The document makes strong security claims such as 'No dynamic code execution in templates' and 'passes automated security scans' while also providing an OS command execution helper built on subprocess.run. Even though it takes a list rather than a shell string, this still enables dynamic command execution and can become dangerous if untrusted input is passed into the command array elsewhere in the skill ecosystem.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The compliance section states there are 'No eval/remote calls' and 'No dynamic code execution in templates,' but the file earlier includes a subprocess-based command runner. This inconsistency is dangerous because it can cause reviewers or downstream users to trust the skill's safety posture while overlooking a capability that can execute local OS commands.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The document asserts the execution subsystem and template code are 'zero network calls' and 'VirusTotal-safe,' but later defines webhook-triggered HTTP callbacks, external APIs, and external/internal source connectivity. This contradiction can cause downstream systems or reviewers to misclassify risky workflows as safe, weakening security gating and allowing network-capable automations to be deployed under false assumptions.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The workflow template section says templates have 'no external network calls,' yet WFT-001 explicitly instructs agents to connect to sources, authenticate, and extract data from internal or external systems. That inconsistency is dangerous because template consumers may rely on the safety statement instead of the actual behavior, leading to under-scoped review, missing egress controls, and accidental data exposure.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The file explicitly claims Mermaid input is sanitized, but then initializes Mermaid with `securityLevel: 'loose'`, which weakens Mermaid's built-in protections and can permit unsafe HTML/link handling depending on renderer behavior. In a visualization skill that is designed to render diagrams from text, this mismatch creates a realistic injection/XSS risk if any untrusted Mermaid definition reaches the renderer.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The README states the skill 'activates automatically when AI company operations are needed,' which is broad enough to cause unintended invocation across many sensitive enterprise tasks. In a unified skill spanning finance, security, legal, intelligence, and deployment functions, overbroad auto-activation can trigger inappropriate actions, data exposure, or unsafe recommendations in the wrong context.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README advertises automatic updates plus a forceable manual PowerShell updater, but does not prominently warn that this modifies local files and can change behavior after installation. Even with stated 'security gates,' auto-update remains a supply-chain risk because a compromised marketplace account, allowlist, script path, or validation logic could deliver untrusted changes to a broad, privileged skill.

Vague Triggers

High
Confidence
92% confidence
Finding
The trigger list is extremely broad for a single high-privilege skill, increasing the chance of unintended invocation for loosely related requests. Because the skill also has workspace-wide write access, API network access, MCP capabilities, and an auto-update path, accidental routing into this skill can expose users to unnecessary high-impact actions.

Vague Triggers

Medium
Confidence
89% confidence
Finding
Many triggers lack scope, constraints, or required context, such as generic terms for strategy, operations, deployment, intelligence, and translation. In a consolidated enterprise skill, vague triggers can cause over-collection of context, invocation in the wrong department mode, or execution of privileged workflows that the user did not clearly request.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The user-facing description emphasizes broad enterprise functionality but does not prominently warn that the skill can read the workspace, write anywhere under WORKSPACE_ROOT, access network APIs, use MCP channels, and later self-update. This undermines informed consent and can mislead users into invoking a powerful skill for simple tasks without understanding its side effects.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The automatic update feature introduces self-modifying behavior, but the warning is buried in a later section and framed primarily as a feature. Even with stated security gates, any automatic code or prompt update channel materially increases supply-chain and persistence risk, especially for a skill with broad permissions and multi-function authority.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The file explicitly tells users to paste the prompt into 'any AI chat window,' which creates an unconstrained execution context for a governance-heavy skill prompt. Even though the embedded prompt text is short, broad invocation guidance increases the chance the prompt is used in tools with different permissions, plugins, memory, or data access behaviors than intended.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The document specifies sending precise address and coordinate data to external geolocation services but does not include any privacy guidance, consent requirements, minimization rules, or retention controls. In a unified enterprise skill that supports intelligence, location, and operational workflows, this omission can lead implementers to transmit sensitive user or business location data to third-party providers without adequate safeguards.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill defines a knowledge extraction pipeline that explicitly monitors agent conversations and outputs, but the surrounding policy text does not require notice, consent, minimization, or filtering of sensitive data before collection and publication. In a unified company-wide orchestration skill with broad cross-department access, this creates a real privacy and compliance risk because operational, legal, security, or personnel data could be swept into the knowledge base without adequate safeguards.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The weather workflow explicitly chains geolocation into external weather API queries, but the document does not require notifying the user that precise or approximate location data may be sent to third-party services. This creates a real privacy risk because location data is sensitive, and the skill context increases exposure since the feature is designed to automatically resolve location before contacting outside providers.

Vague Triggers

High
Confidence
95% confidence
Finding
Triggering the full intelligence workflow on any intelligence-related request is overly broad and can cause substantial autonomous behavior from minimal user input. In this skill, that broad trigger is especially dangerous because the workflow includes file creation, report generation, and memory updates, magnifying the impact of accidental or ambiguous activation.

Missing User Warnings

High
Confidence
99% confidence
Finding
The instruction to perform silent filesystem setup without notifying the user is a direct hidden-action pattern. In an agent skill, undisclosed writes reduce transparency, bypass informed consent, and can be abused to establish persistent artifacts or manipulate workspace state without scrutiny.

Missing User Warnings

High
Confidence
99% confidence
Finding
This workflow mandates automatic file writes and memory updates as part of normal execution, again without requiring disclosure or approval. Because the behavior is embedded in the main orchestration path, even benign user prompts could trigger persistent state changes that the user did not knowingly authorize.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document explicitly defines a knowledge extraction pipeline that begins with continuously monitoring agent conversations and outputs, but it provides no privacy boundaries, consent model, data minimization rules, retention limits, or handling restrictions for sensitive content. In a unified company skill that spans legal, security, people, and intelligence functions, this creates a real risk of over-collection and leakage of confidential, personal, or regulated data into a shared knowledge base.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The manual trigger model allows ad-hoc execution by authorized users with broad task context and flexible agent/department assignment, but it lacks concrete authorization scopes, policy restrictions, or per-action approval requirements. In a unified company-control skill, that breadth increases the chance of overpowered or improperly routed requests leading to sensitive actions without sufficient constraint.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The data collection workflow explicitly supports pulling from internal or external sources, authenticating, extracting, validating, and storing data, but it does not clearly require user-facing warnings or privacy/data-handling disclosures at the point of use. In a skill designed for broad enterprise operations, this can normalize collection of sensitive or regulated data without adequate consent, minimization, or operator awareness.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document includes concrete examples for actions that mutate external systems such as approving deployments, creating GitHub issues and PRs, creating calendar events, and sending emails, but it does not pair them with explicit user-consent or confirmation requirements. In an agent skill context, these examples can normalize or encourage autonomous side effects against third-party systems, increasing the risk of unintended or unauthorized actions.

Natural-Language Policy Violations

Medium
Confidence
92% confidence
Finding
The explicit constraint 'English-only for all memory metadata' creates an unnecessary language restriction for titles, tags, and metadata fields across a multilingual system. In a platform that supports translation, localization, and Chinese regulatory context, this can drive unsafe workarounds, misclassification, and loss of fidelity for legal, security, or intelligence records, especially when users or operators are non-English-speaking.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal