ClawHub

Workflow Engine

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real workflow engine, but it needs Review because it grants broad automation authority and includes unsafe credential-copying guidance.

Install only if you intend to run a powerful local workflow orchestrator and can review each workflow before execution. Do not follow the docs that copy SSH private keys or ClawHub config tokens between machines; create fresh keys/tokens instead. Keep automatic, scheduled, history-based, and event-based triggers disabled unless you explicitly trust the workflows, and avoid importing community .tgz workflows from untrusted sources.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (38)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill documents file read/write and shell execution capabilities, but the manifest does not declare permissions or boundaries for them. In a workflow engine that can execute terminal commands and manipulate workflow/state files, this creates an authorization gap where powerful actions may be invoked without clear user visibility or policy enforcement.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The manifest presents the skill as a workflow orchestrator, but the body expands it into broad automatic intent classification, session-history scanning, schedule inference, and event-driven activation across many domains. That mismatch is dangerous because users may authorize a narrow orchestration tool while the skill actually claims surveillance-like monitoring and autonomous triggering behavior beyond the stated scope.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The documented trigger surface expands from workflow execution into generic domains like email, deployment, monitoring, backup, and code review. Broadening activation this way increases the chance of accidental invocation on ordinary requests and can route unrelated tasks into a high-privilege orchestration flow.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill describes autonomous monitoring of session history, tool-use sequences, schedules, and external events to drive behavior. This is broader than its declared orchestration role and creates privacy and consent risks because user activity is analyzed and reused outside the immediate request context.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The CHECKPOINT section requires user confirmation before workflow execution, but the trigger flow elsewhere allows automatic execution or execution proposals based on inferred intent, time patterns, or events. This contradiction undermines the safety boundary and can result in actions being taken without the explicit approval the skill itself claims is mandatory.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The document goes beyond workflow publication guidance and instructs users to publish via external accounts using credentials sourced from another server. Embedding credential-sharing and account-reuse steps in a skill reference materially increases the chance of unauthorized access and secret exfiltration, especially because users may treat the instructions as endorsed operational practice.

Context-Inappropriate Capability

Critical
Confidence
100% confidence
Finding
The guide explicitly instructs users to copy a private SSH key from a remote root account and use it for GitHub authentication. Sharing private keys between hosts and users destroys key provenance, enables account compromise if either system is breached, and may grant access far beyond the skill's intended scope.

Context-Inappropriate Capability

Critical
Confidence
100% confidence
Finding
The document tells readers to copy a ClawHub config.json from another server, which likely contains active authentication tokens. Reusing another machine's token enables impersonation, breaks access accountability, and can expose or transfer privileges without authorization.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The document instructs operators to copy sensitive account material between servers, including a ClawHub config containing authentication state and an SSH private key, without any security controls or justification tied to DAG/workflow orchestration. In the context of an agent skill, this normalizes credential movement and increases the chance of credential theft, account takeover, and lateral movement across systems.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The workflow format explicitly allows `type: terminal` with an arbitrary `command`, which turns a declarative orchestration spec into a vehicle for unrestricted shell execution. In a workflow engine that supports automation, parallel execution, and subagents, this materially increases the chance of command injection, destructive local actions, or abuse of the host environment if workflows are untrusted or user-influenced.

Context-Inappropriate Capability

Low
Confidence
88% confidence
Finding
Allowing `{{env.xxx}}` interpolation exposes host environment data to workflow prompts, commands, and paths, creating a path for secret leakage or unsafe command construction. In this engine's context, environment variables may contain API keys, tokens, or sensitive filesystem locations, and combining this feature with `terminal`, `llm`, or `subagent` steps makes exfiltration and misuse more likely.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The auto-trigger engine reads and builds behavior patterns from local session history and also persists workflow execution schedules to disk, expanding from explicit workflow orchestration into background behavioral profiling. This creates privacy and scope-creep risk because past user activity is mined and stored without clear consent, minimization, or retention controls.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The file introduces event-driven mappings for external signals such as received emails, PR openings, alerts, and reminders, which can trigger workflows beyond direct user requests. In a skill designed to orchestrate tasks, this broadens activation paths and can cause unintended or surprising workflow execution when external events are connected later.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The import logic writes archive members directly into the local workflow directory after splitting off the top-level path, but it never validates the remaining path. A crafted tar member such as 'name/../../.bashrc' or nested absolute-like paths can escape the intended directory and overwrite arbitrary user files, which is a classic archive path traversal issue.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The batch generator assigns broad toolsets to generic 'skill' and 'subagent' steps, including terminal, file, and web access by default. In a workflow engine that orchestrates arbitrary multi-step tasks, this creates excessive privilege and can let a prompt-defined step perform filesystem access, command execution, or network actions well beyond the minimum required for the workflow.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The automatic fallback map transparently expands failures in benign-looking operations into shell and network-capable alternatives such as terminal:cat, terminal:echo, terminal:curl, and execute_code. This increases the attack surface because a workflow step can silently degrade into more powerful execution paths, potentially bypassing the operator's expectations and enabling command or data exfiltration paths.

Vague Triggers

High
Confidence
96% confidence
Finding
The trigger phrases are broad everyday terms such as 'automate task' and '多步骤任务', which overlap heavily with normal user requests. In a powerful skill that can execute shell commands, invoke subagents, and write files, overly broad triggers can cause accidental activation and privilege escalation from casual conversation into orchestration mode.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The examples of when to use the skill include vague everyday phrasing, which trains activation logic toward ordinary conversation rather than intentional invocation. This is risky because the skill controls broad automation and execution primitives that should not be entered implicitly.

Vague Triggers

High
Confidence
98% confidence
Finding
Automatic intent-based triggering without explicit trigger words allows the skill to activate from semantic guesses across many domains. In context, that means a user asking for help with research, deployment, email, or review could be silently mapped into workflow execution behavior with shell, file, or delegation side effects.

Vague Triggers

High
Confidence
97% confidence
Finding
Tool-sequence, time-pattern, history, and event-driven auto-trigger rules are unconstrained and permit activation based on indirect signals rather than a direct user request. This creates a substantial risk of surprising autonomous behavior, including repeated or scheduled execution of workflows that operate over files, tools, or external systems.

Missing User Warnings

High
Confidence
99% confidence
Finding
The instructions normalize copying a sensitive SSH private key from a remote root-owned location without any warning, approval boundary, or trust verification. This is dangerous because users may unknowingly import highly privileged credentials into less secure environments, widening the attack surface and undermining nonrepudiation.

Missing User Warnings

High
Confidence
99% confidence
Finding
The guide instructs users to copy a config file containing authentication material from a remote server with no warning about credential exposure or authorization requirements. This can lead to accidental account takeover, privilege misuse, and leakage of persistent tokens into local machines, backups, or repositories.

Missing User Warnings

High
Confidence
96% confidence
Finding
The markdown directly tells users to transfer authentication material between servers but omits warnings that these files may grant persistent access to third-party services or infrastructure. That omission is dangerous because users may follow the steps verbatim, exposing high-value credentials in transit or at rest on an unintended host.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document provides copy-paste deployment commands that create directories, transfer files, unpack code, and modify files on a remote host, but it does not warn that these actions will change a live remote system. In a skill context, users may treat the instructions as routine automation guidance and execute them without understanding the scope of impact, increasing the risk of unintended changes or deployment to the wrong host.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The instructions repeatedly use direct SSH and SCP as root to a public IP, then perform extraction and in-place edits remotely. Running deployment steps with full root privileges magnifies the consequences of mistakes, compromised credentials, or tampered payloads, potentially leading to full system compromise or broad configuration damage.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal