ClawHub

AI Swarm Orchestration

Security checks across malware telemetry and agentic risk

Overview

This coding-swarm skill is mostly purpose-aligned, but it needs review because it can bypass approvals and automatically change or push repository content.

Install only after reviewing the scripts and using a disposable or tightly controlled repository. Disable or edit auto-endorsement, permission-bypass agent modes, automatic commit/push/merge behavior, external notifications, and raw log retention unless you explicitly want those behaviors. Avoid running it where local OAuth/API credentials can push to protected branches or where prompts and work logs may contain secrets.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (21)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill clearly instructs the operator to perform shell execution, create and modify files under ~/workspace/swarm and /tmp, manage git worktrees, and send Telegram notifications, yet it declares no permissions or equivalent trust boundaries. This creates a dangerous mismatch where a user or platform may underestimate the skill's ability to alter repositories, execute commands, and exfiltrate task metadata over the network.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The current duty table assigns the builder role to Codex even though Codex is marked benched and its model is in a model-error state. In a multi-agent orchestration skill, this can cause automation to invoke an unavailable or misconfigured CLI, leading to failed runs, unpredictable fallback behavior, or execution against the wrong tool/account context.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The script explicitly bypasses the endorsement control by automatically creating an endorsement file whenever one is missing. In a system that orchestrates multiple coding agents and subsequent integration, this removes a human approval checkpoint and allows unreviewed or unintended tasks to proceed as if they were authorized.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This section describes fully automated review, integration, branch merging, conflict resolution, verification, and state-file updates, but does not prominently warn that these actions can materially and destructively change a repository. In a coding-orchestration skill, automatic merges and conflict handling are especially risky because they can overwrite developer intent, introduce incorrect code, or mutate the main working state without a clear human confirmation point at the merge stage.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill advertises Telegram notifications in setup and workflow instructions without clearly warning that task, project, status, or branch information may be transmitted to an external third-party service. In the context of multi-agent coding orchestration, those notifications can easily include sensitive repository names, issue descriptions, or operational metadata, creating an avoidable data-leak channel.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The role definition explicitly states 'Auto-merge to main' as part of the ship phase, but it does not require a user confirmation step, protected-branch checks, or any warning that this can directly change the primary branch. In a multi-agent coding swarm context, this is especially risky because code produced and reviewed by autonomous agents may be incorrect, unsafe, or adversarial, and automatic promotion to main amplifies integrity and supply-chain risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation explicitly instructs use of non-interactive agent commands that disable permission checks, approvals, or sandboxing, but provides no warning about the security consequences. In a multi-agent coding/orchestration skill, this materially increases the chance that unreviewed prompts or generated code can perform repository modifications, execute risky actions, or access sensitive data without user confirmation.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The primary usage example advertises automatic endorsement and integration of agent output into a repository without any disclosure that this can change branches, merge code, and propagate unsafe or malicious modifications. Given this skill is specifically designed to orchestrate parallel coding agents and merge their work, omitting warnings normalizes high-risk automation and can lead users to run destructive workflows without understanding the consequences.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script explicitly selects non-interactive commands that run Claude with `--permission-mode bypassPermissions` and Codex with `--full-auto`, disabling normal safety/approval gates for downstream agent execution. In the context of an orchestration skill that later uses these generated commands to drive coding agents, this materially increases the risk of unauthorized file changes, command execution, or destructive actions without explicit user confirmation.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script sends status messages and git-derived summaries to an external notification target via openclaw without any consent, classification, or content minimization. In a coding-orchestration skill, commit messages and summaries can contain branch names, ticket IDs, internal architecture details, or even secrets accidentally included by agents, so this creates a real data exfiltration channel.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script explicitly states that all work logs from /tmp are persisted into project history for traceability, but there is no warning, filtering, or retention control. Those logs are likely to contain agent reasoning, copied file content, debugging output, credentials, or user-provided sensitive context, so copying them into the repository creates unnecessary exposure and long-term persistence.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script writes a reviewer prompt containing project path and full work-log context to a predictable /tmp file. On multi-user systems, temporary files in /tmp can be exposed through weak default permissions, symlink races, or other local-user access patterns, leaking sensitive source code, review notes, or secrets copied into the work log.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script automatically stages, commits, and pushes documentation/history updates to the configured git remote without an explicit confirmation step. In this skill's context, the workflow is highly autonomous and may persist AI-generated work logs and ESR content that could include sensitive internal details, causing unintended publication or integrity-impacting changes to shared repositories.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script automatically performs `git fetch`/`git worktree` operations and package-manager installs (`pnpm`, `yarn`, `npm`) against a user-supplied project directory without an explicit consent or dry-run step. In this skill's context, that can trigger network access and arbitrary package lifecycle scripts from the target repository, which is risky because the whole purpose of the skill is to operate on arbitrary codebases with minimal friction.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The generated runner launches autonomous agent CLIs with powerful settings and completion instructions that include committing, pushing, and opening PRs; for Claude it explicitly uses `--permission-mode bypassPermissions`. In an orchestration skill designed to spawn coding agents over arbitrary repos, this materially increases the chance of unintended code changes, data access, or remote writes occurring without meaningful human review at the point of execution.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script silently mutates security-relevant state by generating endorsement artifacts without warning or operator approval. Because this skill is designed to spawn parallel AI agents that can modify code and later be integrated, silently granting approval materially increases the chance of unauthorized or unsafe changes entering the workflow.

Ssd 3

Medium
Confidence
89% confidence
Finding
The design intentionally aggregates all subteam logs and retains them for traceability, creating a broad collection pipeline for natural-language operational data. In this skill, those logs likely contain cross-agent outputs and user context, so centralizing and retaining them increases blast radius if the repo, host, or notification/logging path is later accessed by unauthorized parties.

Ssd 3

Medium
Confidence
87% confidence
Finding
The generated prompt instructs the integration reviewer to consume the full contents of all subteam work logs, broadening access to potentially sensitive material beyond the original producing agent. This is a real semantic data-exposure issue because it encourages reuse and propagation of raw logs into another model context and potentially into subsequent outputs, commits, or notifications.

Ssd 3

Medium
Confidence
94% confidence
Finding
The script copies integration and subteam logs into docs/history and swarm logs, creating durable retention of transient operational data that may include sensitive content. In a multi-agent coding environment, this is especially risky because logs can accumulate prompts, summaries, internal project details, and accidental secrets, all of which become easier to discover, commit, and exfiltrate later.

Unvalidated Output Injection

High
Category
Output Handling
Content
# --- Generate EOR log ---
        if os.path.isfile(eor_script) and os.path.isdir(project_dir):
            try:
                eor_result = subprocess.run(
                    ["bash", eor_script, project_dir, task_id, "", agent],
                    capture_output=True, text=True, timeout=30
                )
Confidence
90% confidence
Finding
subprocess.run( ["bash", eor_script, project_dir, task_id, "", agent], capture_output

Unvalidated Output Injection

High
Category
Output Handling
Content
# Check for PR
        pr_num = ""
        try:
            pr_result = subprocess.run(
                ["gh", "pr", "list", "--head", branch, "--json", "number", "-q", ".[0].number"],
                capture_output=True, text=True, cwd=project_dir, timeout=15
            )
Confidence
79% confidence
Finding
subprocess.run( ["gh", "pr", "list", "--head", branch, "--json", "number", "-q", ".[0].number"], capture_output

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal