ClawHub

Agent Workforce Orchestration: Hybrid Human+AI Teams

Security checks across malware telemetry and agentic risk

Overview

This markdown guide is purpose-aligned, but users should review it carefully because its runnable examples can create wallets, escrows, payments, disputes, and other live account changes while the setup text understates the credential and sandbox requirements.

Install only if you intend to build against GreenHelix and are prepared to review examples before running them. Use a sandbox or least-privilege test API key, confirm the endpoint is non-production, set budget limits and approval gates, and do not run wallet, escrow, payment, dispute, or bootstrap examples against a live account without human review.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The guide claims no API key is required to get started, yet the provided code immediately reads GREENHELIX_API_KEY from the environment and uses it for authenticated API calls. This mismatch can cause users to run privileged examples under false assumptions, increasing the chance of unintended access, billing, or state-changing operations.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The file describes itself as a non-executing educational guide, but includes top-level Python that registers agents, creates wallets, funds workflows, and runs orchestration logic. If a user copies or runs these snippets, they can trigger real external side effects including financial and operational changes, making the 'non-executing' framing materially misleading.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The guide promotes autonomous worker onboarding, escrow creation, payment release, and dispute handling without a prominent warning about financial loss, legal obligations, and unintended operational consequences. In this context, users may deploy automation that can move money or bind workflows before understanding the risks or adding approvals.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill references a read/write API credential but does not pair that disclosure with a warning that the examples may perform state-changing actions against external services. This increases the chance that users expose or misuse a powerful credential in examples involving wallets, escrows, registration, and messaging.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal