ClawHub

Workflow Tools

Security checks across malware telemetry and agentic risk

Overview

The core workflow analysis features are disclosed, but the skill can delegate work to any installed skill, including background subworkflows, without enough scoping or stop-control detail.

Install only if you need the subworkflow orchestration feature. Keep `/wt loops` and `/wt mce` pointed at intended project files, review companion skills before installing them, and avoid `/wt subworkflow --background` unless you know which skill will run, what context it receives, and how to monitor or stop it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill explicitly includes a subworkflow feature that can invoke other installed skills, expanding its effective capability beyond simple workflow analysis. This is dangerous because it widens the permission and behavior surface to the union of whatever downstream skills are installed, enabling unintended data access or side effects through delegation.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The top-level manifest description says the skill is for loop detection, parallel decisions, and file size analysis, but the body also provides subworkflow spawning. This mismatch can mislead reviewers and users about the true operational scope, causing them to approve or install a skill with broader capabilities than advertised.

Scope Creep

Medium
Confidence
95% confidence
Finding
The skill documents that `/wt loops` and `/wt mce` can read arbitrary user-specified directories and files outside the metadata-declared paths. Even if read-only, unrestricted path access can expose sensitive workspace or host data to the model and to generated output files, especially if users point it at secrets, SSH folders, or unrelated repositories.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal