ClawHub

Epic AI Swarm Orchestration

Security checks across malware telemetry and agentic risk

Overview

This skill is a legitimate multi-agent coding orchestrator, but it gives autonomous agents broad authority to change code, commit, push, run with reduced safeguards, persist work logs, and send status externally.

Install only in a dedicated, trusted development environment and only for repositories where automated commits, pushes, PR creation, work-log persistence, and optional notifications are acceptable. Review swarm.conf, notification targets, provider credentials, branch protections, and the default use of auto-approved or sandbox-bypassing agent modes before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (20)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill instructs the agent to run shell scripts, inspect local files, modify workspace state, and potentially perform networked provider probing, yet it declares no permissions. This creates a dangerous mismatch between the apparent trust boundary and the actual operational capability, making it easier for the skill to be invoked with far more authority than a reviewer or platform policy might expect.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script sources the user's ~/.bashrc before running model probes, which executes arbitrary user-defined shell code and imports unrelated aliases, functions, environment variables, and side effects into a maintenance task. In a skill meant to assess model availability, this expands execution scope beyond the stated purpose and can trigger unintended or attacker-planted code whenever the assessment runs.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The script sends an outbound notification after assessment, which is an additional side effect not essential to testing model availability and updating duty assignments. In an orchestration skill, this can leak operational metadata such as selected models and scheduling state to an external channel and may surprise operators who expected only a local assessment/update action.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The script exfiltrates operational data by sending a standup summary to an externally configurable OpenClaw/Telegram destination. Although this appears intended for status reporting, it is outside core swarm orchestration and includes task IDs, project names, agent activity, and queue state, creating a real data-leak surface if the target or channel is misconfigured or attacker-controlled.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
This script is named and framed as a completion notifier, but it autonomously spawns a reviewer/fixer agent that can inspect code, modify the repository, commit changes, and push them upstream. That is a real security-relevant boundary expansion: anyone invoking a seemingly observational watcher can trigger privileged code-changing behavior, and the generated prompt explicitly instructs direct fixes and git push operations.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The persist_and_update_esr function performs writes to project documentation, stages files, commits them, and pushes to git automatically on exit. In a monitoring/notifier component this creates unexpected side effects and can leak or publish worklog content, including sensitive operational details, without a deliberate review checkpoint.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
On review completion the watcher launches deploy-notify.sh in the background via nohup, coupling completion monitoring to downstream CI/CD-style side effects. This can unintentionally trigger external automation based on inferred success, even when the review result was auto-inferred or incomplete, expanding blast radius beyond simple notifications.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The runner invokes Codex with `--dangerously-bypass-approvals-and-sandbox`, explicitly disabling normal execution safeguards while feeding it a prompt that also directs autonomous code changes, commits, pushes, and PR creation. In this swarm/orchestration context, that gives an LLM broad authority to execute arbitrary shell actions against the local repo and surrounding environment, making prompt injection, task poisoning, or model misbehavior materially dangerous.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script appends instructions telling the spawned agent to commit changes, push to `origin`, and create a PR automatically. That turns code generation into autonomous outbound repository modification, which can exfiltrate sensitive code, publish unsafe changes, or let a compromised/prompt-injected agent take actions beyond local drafting.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The script programmatically creates per-task endorsement files specifically so a downstream approval gate will pass, even when no distinct per-task approval occurred. That is an authorization bypass: it converts a batch-level verbal approval into synthetic task-level approvals without enforcing scope, identity, or intent, which can allow unreviewed or expanded tasks to execute under a false appearance of human authorization.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The script imports configuration and exports an API key, then later transmits prompts to external model providers without an explicit execution-time warning or confirmation. Although the probe text is harmless, the combination of local config loading and automatic outbound network use can violate operator expectations and increases risk in a portable swarm/orchestration context where scripts may run unattended.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script automatically copies project summary content to an external path specified by OBSIDIAN_BASE, which can expose potentially sensitive project status, plans, and learnings outside the repository without an explicit confirmation step. In a multi-agent orchestration skill, this is more dangerous because summaries may aggregate broad internal context, making accidental disclosure to a synced notes vault or shared filesystem more likely.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script sends integration status messages to an external messaging channel via `openclaw message send`, and those messages can include repository-derived summaries such as commit messages and reviewer output. In a swarm/orchestration context, commit subjects and review summaries may contain sensitive project details, incident data, internal filenames, or security findings, so exfiltration to Telegram or another configured channel is a real confidentiality risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script explicitly aggregates all subteam work logs, writes them into a combined integration log, and persists copies under `docs/history/` and `docs/decisions/`. Those logs are likely to contain code excerpts, design rationale, secrets accidentally printed by agents, and cross-team context that would not normally be committed, creating a durable data-retention and possible source-control exposure issue.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The integration watcher instructs an automated agent to make fixes directly and later performs additional automated commits and pushes itself, which can publish changes without human review. In this skill's multi-agent coding context, that is especially dangerous because AI-generated modifications plus automatic `git push` can propagate incorrect code, security regressions, or sensitive documentation/history to a remote repository at scale.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The reviewer subprocess is launched in a highly autonomous mode, including gemini -y and a fallback command containing --full-auto, while being given a prompt that explicitly authorizes shell actions, code changes, commits, and pushes. Running an LLM-driven agent with auto-approved tool use against a repository is dangerous because prompt mistakes, poisoned repo content, or adversarial files can cause unreviewed destructive or exfiltrating actions.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script performs automatic git add/commit/push in the review project without an execution-point warning or confirmation. This is risky because a background watcher can publish unintended files or sensitive documentation updates, especially since the committed content includes generated worklogs and ESR updates.

Missing User Warnings

High
Confidence
99% confidence
Finding
This line performs agent-driven shell execution with the most permissive approval-bypass mode and no runtime warning or consent checkpoint for the operator. Because the script is expressly designed to spawn autonomous coding agents, the unsafe execution setting is not theoretical—it directly expands the blast radius from file edits to unrestricted command execution and possible system or credential compromise.

Unvalidated Output Injection

High
Category
Output Handling
Content
# --- Generate EOR log ---
        if os.path.isfile(eor_script) and os.path.isdir(project_dir):
            try:
                eor_result = subprocess.run(
                    ["bash", eor_script, project_dir, task_id, "", agent],
                    capture_output=True, text=True, timeout=30
                )
Confidence
83% confidence
Finding
subprocess.run( ["bash", eor_script, project_dir, task_id, "", agent], capture_output

Unvalidated Output Injection

High
Category
Output Handling
Content
# Check for PR
        pr_num = ""
        try:
            pr_result = subprocess.run(
                ["gh", "pr", "list", "--head", branch, "--json", "number", "-q", ".[0].number"],
                capture_output=True, text=True, cwd=project_dir, timeout=15
            )
Confidence
78% confidence
Finding
subprocess.run( ["gh", "pr", "list", "--head", branch, "--json", "number", "-q", ".[0].number"], capture_output

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal