ClawHub

Coding Agent Orchestrator

Security checks across malware telemetry and agentic risk

Overview

This skill openly controls local coding-agent sessions, but its broad chat triggers and generic yes/no routing could accidentally approve, steer, interrupt, or expose active work.

Install only if you want chat-based control over local Varie Workstation/Claude Code sessions. Use explicit project and session names, avoid casual yes/no replies while prompts are pending, prefer session-scoped screenshots, and install wctl only from a trusted Varie Workstation source.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The skill claims that free text is never injected without validation, but multiple documented flows dispatch raw user text directly into an existing terminal session, including normal session messages and feedback text after selecting option 4. This contradiction is dangerous because it may cause operators to over-trust the safety properties of the skill while user-controlled input is still being delivered to a live coding agent that can act on it.

Intent-Code Divergence

Low
Confidence
88% confidence
Finding
The skill states it asks for confirmation before creating new sessions, but the main workflow explicitly auto-creates a session when no match is found. This inconsistency can lead to unintended session creation and execution against the wrong repository or path, especially when fuzzy matching and discovery are involved.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger list includes very broad terms such as yes, no, stop, show me, and capture, which are common in ordinary conversation. In a high-impact control skill that can dispatch commands, interrupt sessions, or send screenshots, overly broad activation increases the chance of unintended invocation and accidental action on active workstations.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The pending-prompt reply detection treats short replies like numbers, yes, no, approve, or short answers as responses to an existing prompt if any prompt is pending. This can over-capture unrelated user messages and route them into a session prompt workflow, potentially approving plans, rejecting with feedback, or answering the wrong interactive question.

Ssd 3

Medium
Confidence
89% confidence
Finding
The skill enables taking screenshots of a session or the full screen and sending them to the current messaging target based on conversation context. Because screenshots can contain source code, secrets, unrelated windows, or sensitive personal data, this creates a real disclosure path if invoked accidentally, misrouted, or triggered under ambiguous intent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal