ClawHub

Bytesagain Workflow Builder

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says, but it stores and runs arbitrary shell-command workflows with limited safety controls, so users should review it carefully before installing.

Install only if you want a local arbitrary-command workflow runner. Treat every workflow file as executable code, review commands before running them, avoid workflows from untrusted sources, and avoid commands that print secrets because short output snippets are saved in the workflow store.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill is explicitly designed to accept arbitrary command strings via `add-step` and later execute them in sequence, yet it provides no warning that these commands run on the host shell with the user's privileges. In practice, this can enable destructive or data-exfiltrating commands to be packaged as workflow steps, making the skill especially risky because its core purpose is batch execution of shell commands.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The tool executes workflow step commands directly as shell code, but presents itself as a general workflow helper without strong guardrails or explicit warnings that stored step definitions are arbitrary code execution. In an agent/skill context, this is dangerous because untrusted workflow content can be created or replayed later, causing command execution on the host under the user's privileges.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal