ClawHub

Agency Agents Main

Security checks across malware telemetry and agentic risk

Overview

This is mostly a large role-switching prompt pack, but some included roles request autonomous posting, scheduling, credentials, persistent memory, and broad local tools without enough user-control boundaries.

Install only if you are comfortable with a broad prompt pack that can activate roles involving external APIs, social-account publishing, local file edits, shell access, and optional persistent memory. Avoid enabling the autonomous publishing or memory integrations unless you can restrict credentials, require manual approval before posts or account changes, and review any generated code before running it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (144)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The sample implementation installs global document-level keydown and click listeners to monitor all user interactions, even though the stated purpose is whimsical UI enhancement. Broad input monitoring is risky because it can capture sensitive behavioral data, interfere with other handlers, and normalize patterns that could be repurposed for surveillance or covert triggers in a real integration.

Intent-Code Divergence

High
Confidence
86% confidence
Finding
The document’s stated safety model says AI should generate logic rather than directly modify data, but the included workflow culminates in executing AI-produced transformations over real dataset values. In a remediation skill handling anomalous and potentially sensitive production data, that contradiction is dangerous because it normalizes AI-directed data mutation under a misleading safety framing.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The skill explicitly states that schema drift must alert and never silently corrupt, yet the Bronze ingest example uses automatic schema merging without any detection, alerting, quarantine, or review path. In a data-engineering skill, this is dangerous because users may copy the example into production and unknowingly permit upstream schema changes to flow through, causing silent downstream breakage, semantic corruption, or trust erosion in analytics outputs.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
These instructions go beyond simple persona switching and direct the agent to perform substantive engineering work and make implementation decisions. In a role-switching skill, that scope expansion can bypass higher-level controls about what the skill is supposed to do and cause the agent to take actions or provide guidance not clearly authorized by the manifest.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The prescribed workflow, QA gates, and coding behavior turn the skill from a role selector into an execution playbook. That increases risk because the agent may treat these embedded instructions as authoritative over user intent or platform policy, leading to uncontrolled technical actions and hidden behavior shaping.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Granting 'persistent memory' is a capability claim that exceeds a simple role-switching function and may encourage retention or reuse of prior task information without clear consent or controls. In security terms, unjustified memory expansion can lead to privacy leakage, cross-task contamination, and unauthorized carryover of sensitive context.

Context-Inappropriate Capability

Low
Confidence
81% confidence
Finding
Directing external web lookups introduces an undeclared capability and can cause the agent to fetch untrusted remote content or disclose task context to external services. While lower severity here, it still expands the attack surface beyond the manifest's stated role-switching purpose.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
This is a real security flaw in the sample guidance. The document repeatedly claims a server-authoritative model, but the code sets each player node's authority to the corresponding client peer and then permits authority-side movement/state changes, which effectively gives clients control over gameplay-critical state and can enable cheating or desync. In a multiplayer-engineering skill, this is more dangerous because users are likely to copy the pattern directly into production netcode.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The skill explicitly recommends exporting analytics events to an external backend via HttpService:PostAsync(), which expands data flow off the Roblox platform without any constraints on minimization, consent, or allowed payloads. In a role skill intended to guide users, this can normalize collecting and transmitting player telemetry—potentially including identifiers or behavioral data about minors—into third-party systems with weaker platform protections.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The file is presented as a role-switching persona, but it instructs the agent to search, persist, tag, share, and roll back cross-session memory. That expands the skill from harmless persona selection into stateful data handling, which can cause unauthorized retention of sensitive project data, cross-task leakage, and unintended influence from prior sessions or other agents. In this context, the mismatch between stated purpose and actual capabilities makes the behavior more dangerous because users may not expect persistent memory operations from a simple role switcher.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The instructions explicitly tell the agent to hand off memories to other agents and to restore prior 'known-good' states, even though the skill's stated purpose is only role switching. Cross-agent memory handoff can expose sensitive architecture decisions, internal context, or user data to unrelated personas, while rollback behavior can let stale or attacker-influenced state override current user intent. The skill context increases risk because these capabilities are not necessary for activating a backend-architect persona and therefore represent unjustified privilege expansion.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill instructs the agent to persist learning data and self-schedule future executions, which goes beyond a simple role/persona switch and creates ongoing autonomous behavior. In the context of a role-switching skill, persistence and unattended recurrence materially increase risk because the agent can continue acting without fresh user intent or review.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file directs the agent to publish content to external platforms and retrieve analytics through third-party APIs, which exceeds the declared purpose of role switching and gives the skill real-world side effects. This is dangerous because a user may invoke a persona change but unintentionally authorize posting, account actions, and data transfer to outside services.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Cron-style self-scheduling enables the skill to continue operating after the initial interaction, creating unattended repeated actions on external accounts. For a role-switching skill, this is particularly unsafe because the user expectation is temporary persona adaptation, not a persistent automated agent with future execution rights.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill requires publishing credentials from environment variables to interact with external APIs, which is unjustified for a role-switching manifest and expands the blast radius if the skill is misused. While using environment variables is better than hardcoding, the underlying issue is unnecessary access to sensitive tokens for a skill whose stated purpose does not require them.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The file explicitly defines itself as an autonomous growth engine rather than a role switcher, showing a strong mismatch between manifest claims and actual behavior. This mismatch is dangerous because it can conceal automation, publishing, and data-processing capabilities behind a benign-seeming entry point.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
This section teaches engagement and conversion tactics that include scarcity pressure, suspense, like-gating, and other manipulative growth patterns intended to drive platform metrics rather than provide neutral assistance. In a general-purpose role-switching skill, that crosses into deceptive marketing enablement and can help users run coercive or misleading livestream sales flows at scale.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The skill explicitly states that users who leave groups or delete the account must not be contacted again, but the lifecycle automation examples continue dormant/reactivation outreach without showing any suppression list or exclusion logic for opt-outs, deletions, or group leavers. In a private-domain marketing context, this can cause policy violations, privacy non-compliance, and harassment of users who have withdrawn consent.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill is scoped as a paid social strategist, but it instructs the agent to use Google Ads and broader search/display data for decision-making. This creates a scope mismatch that can cause the agent to access or rely on unrelated systems and data sources, increasing the chance of over-privileged behavior and unintended data exposure beyond the persona's stated purpose.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Granting Bash to a paid social strategist is unnecessary for the described business function and violates least-privilege. If invoked, shell access could be abused to run local commands, access files, or pivot to other resources unrelated to campaign strategy, making the skill materially more dangerous than its benign marketing context suggests.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill is scoped as a search query analyst, but it declares Write, Edit, and Bash in addition to data-retrieval tools. That expands its effective authority far beyond read-only analysis and creates unnecessary risk of local file modification, shell command execution, or abuse through prompt injection or operator error. In this context, the extra capabilities are not justified by the stated role, which makes the skill more dangerous rather than functionally necessary.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Granting Bash to a paid-media search query analyst is unjustified and materially increases the attack surface. If the skill processes adversarial inputs, imported data, or prompt-injected content, shell access can be leveraged for arbitrary command execution, local data access, credential exposure, or destructive actions unrelated to search-term analysis.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The file defines a standalone behavioral manipulation persona that is materially different from the parent skill's stated purpose of role switching. This scope drift is dangerous because it can cause the agent to activate capabilities involving persuasion, task analysis, and outreach behavior that users and platform operators would not reasonably expect from an 'agency' role-switcher skill.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill explicitly introduces behavior-influencing and communication-channel optimization capabilities unrelated to simple persona switching, including motivational trigger tracking and channel selection. In context, this is dangerous because it expands the agent into covert persuasion and potentially outbound messaging behavior, increasing risk of manipulative UX, privacy overreach, and unauthorized user contact.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The file materially diverges from the advertised 'agency' skill behavior by hard-coding a single specialized macOS Spatial/Metal engineer persona. This creates a scope/integrity problem: users or orchestrators expecting a generic role-switcher may invoke this skill under false assumptions, causing unintended authority, misleading outputs, or policy bypass if routing and permissions depend on manifest semantics.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal