ClawHub

Team Projects

Security checks across malware telemetry and agentic risk

Overview

This is a real multi-agent project-management skill, but it asks for broad agent permissions and includes under-scoped local execution paths that should be reviewed before use.

Review the source patches before installing. Replace wildcard agent allowlists with explicit project-team agents, avoid broad session visibility unless needed, and change the dashboard refresh to a dedicated read-only project API instead of a silent sessions.send command. Do not enable the optional localhost HTTP API unless you add authentication, restricted CORS, and clear controls for mutating project data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The UI refresh path sends a free-form instruction to an agent session telling it to run a local Node command and return raw JSON. That makes a presentation-layer component depend on agent-mediated command execution rather than a constrained data API, expanding the trust boundary and creating a dangerous execution primitive if the message path, script path, or surrounding agent behavior can be influenced.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The installation instructions explicitly recommend wildcard inter-agent permissions via tools.agentToAgent.allow and subagents.allowAgents set to ["*"], which grants the coordinator broad ability to contact or spawn any configured agent. In a multi-agent environment, this expands blast radius substantially: a compromised or misprompted coordinator can delegate sensitive data, trigger unintended actions, or laterally move work to higher-privilege agents without meaningful restriction.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code instructs the agent to run the command 'silently' and provides no UI disclosure that refreshing the dashboard triggers local command execution and filesystem-backed retrieval. In a multi-agent project-management skill, hidden execution is more dangerous because users may treat the dashboard as passive display logic while it is actually causing privileged backend activity.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The walkthrough explicitly recommends enabling inter-agent messaging with `allow: ["*"]` and broad session visibility, which permits unrestricted cross-agent communication and increases the risk of unnecessary data sharing between agents. In a multi-agent project-management skill, agents may handle different user data, prompts, files, or tool outputs, so documenting a permissive default without clear privacy boundaries or least-privilege guidance can lead to cross-agent data exposure or misuse.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal