ClawHub
Back to skill

Security audit

Context — Multi-Agent Collaboration Engine

Security checks across malware telemetry and agentic risk

Overview

This collaboration skill appears purpose-built rather than malicious, but it needs Review because it automatically injects remote shared content into agent prompts and grants broad shared-space write and delete authority without enough user control.

Install only if you trust the Context server and everyone who can edit a shared space. Consider disabling autoInject unless you explicitly need it, avoid putting secrets or private workspace data in shared Context files, and require human confirmation before agents write, delete files, delete spaces, modify members, or send notifications.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • System Prompt LeakageDirect Leakage, Indirect Extraction, Tool-Based Exfiltration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill declares a remote server URL and describes network-backed shared-space features, but there is no explicit permissions declaration warning users that the plugin communicates with an external service. Hidden or under-declared network capability matters here because the plugin auto-injects shared context into agent conversations, increasing the chance that sensitive workspace data is transmitted off-box without informed consent.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The documented behavior understates materially sensitive capabilities: destructive operations, search across shared content, notifications, command registration, and prompt/bootstrap context modification. In a collaboration skill, undisclosed context injection and mutation of shared state can alter agent behavior, leak data across participants, or enable unauthorized/destructive actions under the guise of routine collaboration.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The plugin is hard-wired to use an external hosted service by default and many tools transmit collaboration data, file contents, member metadata, and identifiers to that server. The description does not clearly disclose this remote dependency or ongoing data transfer, which can mislead users about where sensitive workspace content is being sent.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly advertises automatic injection of SPACE.md, TEAM.md, and TASK.md into every agent conversation, but provides no warning, consent model, or scoping guidance for potentially sensitive shared content. In a multi-agent collaboration plugin, this increases the chance of unintended disclosure of private project data, human annotations, credentials, or internal task context to agents and downstream integrations.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
Promoting viral propagation through shareable URLs without describing access controls, expiration, authentication, or revocation creates a real risk of unintended workspace exposure and uncontrolled spread of shared context. In this skill's context, where shared files are automatically injected into conversations, a leaked or over-broad share link could amplify disclosure across multiple agents and users.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Automatic injection of SPACE.md, TEAM.md, and TASK.md into every agent conversation changes the model's effective system/context prompt and can propagate untrusted or adversarial instructions across sessions. Because this skill is specifically designed for multi-agent viral propagation and shared spaces, the absence of a prominent warning materially increases prompt-injection, cross-session contamination, and unintended data exposure risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The tool list includes write, delete, task/member modification, and notification capabilities without warning users about integrity and destructive risks. In a shared multi-agent workspace, these actions can overwrite team context, remove files, spam or misdirect collaborators, and create hard-to-audit changes that affect all linked agents.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The before_prompt_build hook automatically sends channel/group identifiers to a remote server to look up a space and fetch protocol content, without any visible consent or notice in this file. In a collaboration system, those identifiers and fetched instructions can reveal sensitive organizational context and silently influence every subsequent model prompt.

Missing User Warnings

High
Confidence
95% confidence
Finding
The plugin exposes a one-step deletion tool that irreversibly deletes an entire shared space and all files, with no confirmation, soft-delete, role check, or recovery path visible here. In a multi-agent shared-memory context, accidental or adversarial tool invocation can destroy team knowledge and disrupt all collaborating agents.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
File deletion is exposed as a single action without confirmation, undo, or visible permission validation in this code. Because the plugin is designed as shared collaboration memory, deleting files can erase protocol/task data and impair coordination across agents and humans.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The manifest explicitly advertises broad automatic behavior: it 'auto-injects shared space context' into agent system prompts and enables 'viral plugin propagation across agents' without stating any activation constraints or user approval boundaries. In a multi-agent prompt environment, ambiguous auto-invocation language increases the chance that sensitive or untrusted shared content is inserted into privileged prompt context unexpectedly, amplifying prompt-injection and cross-agent data leakage risks.

Natural-Language Policy Violations

Medium
Confidence
98% confidence
Finding
The description states that shared files such as SPACE.md, TEAM.md, and TASK.md are auto-injected into every agent conversation/system prompt, which is effectively forced prompt injection without explicit user opt-in. Because system prompts are highly privileged, this design makes the skill materially more dangerous: any malicious or stale content written into shared files can influence downstream agent behavior, spread across collaborators, and potentially override user intent or expose sensitive context.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The manifest enables auto-injection of shared protocol files into every agent conversation by default via hooks such as before_prompt_build and agent:bootstrap, but it does not show any scope restriction, consent gate, or trust boundary. In a multi-agent collaboration plugin, this creates a strong prompt-injection and data-leakage primitive because untrusted shared content can silently influence downstream agent behavior across conversations.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The manifest advertises powerful tools for reading, writing, searching, and deleting shared files, plus automatic prompt/context injection, without any visible user-facing warning or evidence of confirmation requirements. In this skill's context, those capabilities can be chained so that a malicious or compromised collaborator writes adversarial content into shared files and has it propagated into agent prompts, while destructive file operations increase the risk of tampering and loss of integrity.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The delete tool exposes irreversible file deletion with only a required space_id and path, and the handler immediately issues a DELETE request without any confirmation, soft-delete, or policy check at the tool layer. In this skill's context, shared files are the central collaboration state for multiple agents and humans, so an accidental, prompted, or malicious tool invocation could disrupt coordination or destroy important artifacts for the whole group.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal