ClawHub

Complex Task Subagent

Security checks across malware telemetry and agentic risk

Overview

This skill is a powerful unattended automation framework with real user-control and credential-scope concerns, but the artifacts do not show clear malicious intent.

Install only in a controlled workspace if you deliberately want unattended subagent automation. Do not enable silent device auto-approval, do not allow timeout to count as consent for sensitive actions, keep API keys out of shared config when possible, review cron and heartbeat tasks, and require manual git status/diff review plus explicit approval before any commit, push, external messaging, gateway restart, or account/admin change.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (21)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill performs clear file read/write operations against workspace and configuration paths, but does not declare those capabilities. Undeclared filesystem access weakens user understanding and policy enforcement, especially because the documented actions include editing config files, creating state files, and writing checkpoints. In the context of an unattended orchestration skill, hidden write capability is more dangerous because it can silently alter persistent local state.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The documented behavior goes well beyond simple subagent orchestration into configuration mutation, notification state management, local agent enumeration, cache management, and direct writes under fixed system paths. That mismatch prevents informed consent and makes it easier for the skill to be used as a privileged configuration-management tool rather than a narrow orchestrator. Because the skill also promotes unattended operation, the extra undocumented behaviors materially increase risk.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The skill documentation extends into Feishu API setup, third-party image API configuration, and direct local HTTP agent API usage, which are outside the stated orchestration purpose. This broadens the attack surface to external services and credentialed integrations without clear necessity or isolation. In a skill users may trust for orchestration only, such scope expansion is risky and can facilitate unintended data transmission or credential exposure.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill recommends changing device pairing settings to automatically approve browser, CLI, and UI clients by editing a security-sensitive file. This weakens an important trust boundary and can allow unauthorized or less-scrutinized clients to connect with reduced friction. That is especially dangerous in a framework designed for unattended execution, where approved clients could trigger privileged automation without immediate oversight.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
The documentation instructs users to place API keys and service secrets directly into OpenClaw configuration. Storing long-lived secrets in broadly readable or casually edited config files increases the chance of accidental disclosure, misuse by subagents, or leakage via logs, backups, or repo sync. This is outside the core orchestration purpose and creates credential-management risk without proper controls.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The example code evaluates branch conditions from task configuration using Python eval(), which can lead to arbitrary code execution if an attacker can influence the condition string or checkpoint-derived context. In this skill's orchestration setting, branch definitions may be dynamically generated or loaded from task files, making this more dangerous than a purely theoretical documentation issue because users may copy the pattern directly into automation that processes untrusted workflow data.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The quick-start explicitly instructs packaging the skill, committing changes, and pushing to Gitee, which introduces remote publication behavior beyond local task orchestration. This is dangerous because users may trigger unintended exfiltration or publication of workspace contents, credentials, research artifacts, or generated files without an explicit safety gate or scope restriction.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
Presenting automatic synchronization to Gitee as part of the normal workflow expands the skill from orchestration into autonomous remote data transfer. In context, this makes the skill more dangerous because the documentation normalizes unattended publication after task completion, increasing the chance of silently exposing local artifacts or proprietary content.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script goes beyond notification handling and directly changes the task's executionMode to "unattended" after a timeout. In an orchestration skill, that can bypass an intended human confirmation gate and allow follow-on actions to continue without renewed approval, which is a real safety/control weakness even if the author likely intended resilience rather than harm.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script executes `${EDITOR:-nano}` directly, so any caller who controls the `EDITOR` environment variable can cause an arbitrary program to run when the user chooses to edit preferences. In a skill meant for orchestration and unattended operation, invoking an external program outside the script's intended scope increases attack surface and can be abused for unexpected command execution.

Missing User Warnings

High
Confidence
90% confidence
Finding
The skill advertises unattended automation, auto-fallback, and automatic progression without clearly warning users that it may take actions affecting files, accounts, messages, and system configuration while they are absent. Lack of prominent warning undermines informed consent and increases the chance of risky deployment in sensitive environments. Because the skill is specifically designed for autonomous operation, omission of risk disclosure materially raises the danger.

Missing User Warnings

High
Confidence
96% confidence
Finding
The instructions normalize modification of security-sensitive pairing behavior without prominently explaining the consequences of reduced client verification. Users may follow the steps as routine setup and unintentionally weaken local access controls. In a toolchain capable of spawning subagents and editing system configuration, this omission is high risk.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The Feishu cron examples send task content and recipient identifiers to an external messaging service, but the documentation does not clearly warn about privacy and metadata exposure. Users may include sensitive prompts, operational details, or internal identifiers in scheduled messages without understanding the transmission risk. The skill context increases concern because it encourages unattended recurring delivery.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document describes automatic commit and push behavior but does not warn about remote sync risks, such as uploading sensitive files, generated outputs, or embedded secrets. Because the workflow runs across a broad workspace path, the absence of warnings or review checkpoints materially increases the likelihood of unintended disclosure.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The fallback path automatically updates the progress file to unattended mode once the timeout is reached, without an explicit final warning or affirmative acknowledgment at the moment of transition. In this skill's context, which is designed for reliable unattended orchestration, that behavior increases the chance that sensitive or disruptive steps proceed after mere operator unavailability rather than deliberate approval.

Ssd 4

Medium
Confidence
90% confidence
Finding
The workflow explicitly escalates from user-confirmed operation to unattended execution after timeout, creating a consent bypass through silence. Non-response is not reliable authorization, especially for actions that may affect files, services, or external systems. In this skill's context of autonomous orchestration, timeout-based escalation can convert temporary absence into implicit approval.

Ssd 4

High
Confidence
97% confidence
Finding
The confirmation workflow is designed to switch silently into unattended mode if the user does not reply within a set time. This directly undermines the stated confirmation gate and allows high-risk actions to proceed without explicit user authorization. Given the skill can modify configs, send external messages, and orchestrate subagents, the escalation materially increases the chance of unauthorized or harmful actions.

Ssd 4

High
Confidence
95% confidence
Finding
The Heartbeat instructions tell the agent to keep advancing tasks and convert confirmation timeouts into autonomous execution. Embedding this in recurring background logic creates a durable, automated consent-bypass mechanism that may continue acting long after the initiating context is forgotten. This is particularly dangerous because heartbeat runs periodically and can repeatedly apply autonomous decisions without contemporaneous user review.

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
# 首先需要飞书 API 的 app_access_token
curl -X POST "https://open.feishu.cn/open-apis/auth/v3/tenant_access_token/internal" \
  -H "Content-Type: application/json" \
  -d '{
    "app_id": "cli_a92f97ca9b799cd4",
Confidence
78% confidence
Finding
curl -X POST "https://open.feishu.cn/open-apis/auth/v3/tenant_access_token/internal" \ -H "Content-Type: application/json" \ -d '{ "app_id": "cli_a92f97ca9b799cd4", "app_secret": "your-app

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
cat > ~/.openclaw/devices/pending.json << 'EOF'
{
  "silent": true,
  "autoApprove": ["browser", "cli", "openclaw-control-ui"],
  "logLevel": "warn"
}
EOF
Confidence
95% confidence
Finding
autoApprove

Tool Parameter Abuse

High
Category
Tool Misuse
Content
# 检查任务状态
   if [ "$phase_status" = "completed" ]; then
     # 回收缓存
     rm -f /root/.openclaw/workspace/complex-task-subagent-experience/cache/$cacheFile
     echo "[$(date '+%Y-%m-%d %H:%M:%S')] ♻️ 缓存已回收: $cacheFile" >> task-cache.log
   fi
   ```
Confidence
89% confidence
Finding
rm -f /root/.openclaw/workspace/complex-task-subagent-experience/cache/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal