ClawHub

Agent-team-manager

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a local, purpose-aligned agent team coordination helper, with documentation gaps but no evidence of theft, destructive behavior, or hidden execution.

Install only if you want a local coordination library and are prepared to define your own approval, privacy, and agent-authentication boundaries. Do not rely on the enterprise compliance or audit-trail claims without additional controls, and verify the missing index.js/export structure before using it in a real workflow.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill’s 'When to Use' guidance is very broad and does not define clear activation boundaries, prohibited use cases, or required safeguards. In an agent-orchestration skill, this can cause over-invocation on sensitive or high-risk tasks, increasing the chance that downstream agents are used for actions the user did not intend or that require stronger review.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The example task explicitly references analyzing thousands of mailbox emails, which is privacy-sensitive content, but the skill does not provide any warning, consent requirement, minimization guidance, or handling restrictions. Because this is a team-manager skill intended to coordinate multiple agents, the absence of privacy controls can amplify exposure by propagating sensitive email data across several agents and review steps.

VirusTotal

70/70 vendors flagged this skill as clean.

View on VirusTotal