ClawHub

Agent Task Manager

Security checks across malware telemetry and agentic risk

Overview

This workflow skill is mostly disclosed, but it needs review because it can send task content to a third-party API, send notifications, persist state locally, and run arbitrary wrapped shell commands with weak safeguards.

Review before installing. Use a least-privilege SkillBoss API key, avoid putting secrets or private business data in task requests, confirm recipients before enabling notifications, inspect or delete task_state.json after use, and do not use cooldown.sh with untrusted task names or command arguments unless the eval behavior is removed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill declares an environment variable requirement and describes file persistence, network calls, and state management, but does not declare corresponding permissions. This creates a transparency and policy-enforcement gap: a user or platform may approve the skill without understanding it can access credentials, write local state, and transmit data externally.

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The skill is presented as a general workflow orchestrator, but the documented behavior expands into external LLM-based parsing, financial-analysis use cases, and email/SMS notification delivery. This mismatch can cause users to invoke the skill for benign orchestration while unintentionally enabling data exfiltration, third-party processing, or sensitive operational actions they did not expect.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The script builds a command string from all remaining arguments and executes it with eval, which causes the shell to re-parse the data as code. If TASK_NAME, command arguments, or any upstream workflow input can be influenced by an untrusted source, an attacker can inject additional shell syntax and achieve arbitrary command execution; in an agent orchestration skill, that is especially dangerous because commands may run automatically as part of stateful workflows.

Description-Behavior Mismatch

Medium
Confidence
83% confidence
Finding
The skill is presented as a generic workflow orchestrator, but it also performs domain-specific financial analysis and sends outbound notifications through a third-party API. That mismatch increases the chance that users or reviewers will underestimate what data leaves the environment and what actions the skill can take.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The code retrieves a sensitive API credential and sends task data to a third-party remote service for analysis and notifications, capabilities that are not clearly justified by an orchestration-only description. In agent settings, hidden external calls are risky because they can transmit user prompts, workflow state, or recipient data outside the local trust boundary.

Vague Triggers

Medium
Confidence
76% confidence
Finding
The activation language is broad enough to match many ordinary requests about workflows, sequencing, or task improvement. In context, that is more dangerous because the skill can persist state and call external services, so accidental invocation could trigger file writes or network transmission without the user realizing a powerful orchestration skill was selected.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation advertises persistent state storage and external notification delivery but does not warn users that task data may be written locally and transmitted to third-party services. In a stateful multi-agent workflow manager, this omission increases the chance that sensitive workflow contents, identifiers, or outputs are retained or sent externally without informed consent.

Missing User Warnings

Low
Confidence
81% confidence
Finding
Although the required API key is listed, there is no guidance on secure handling, redaction, or preventing accidental exposure through logs, prompts, or persisted task state. In a skill that coordinates multiple components and external calls, weak credential-handling guidance can lead to leakage or misuse of the API key.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The notification path sends recipient and message content to an external API without any clear user-facing consent, warning, or validation in this file. This can leak sensitive content or trigger unintended outbound communications, which is more dangerous in an autonomous workflow engine that may run multi-step actions automatically.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The fallback path sends arbitrary natural-language user requests to an external API without any notice, consent, or minimization. Requests may contain sensitive operational details, credentials, personal data, or confidential workflow instructions, creating a privacy and data-governance risk whenever unmatched inputs are parsed remotely.

External Transmission

Medium
Category
Data Exfiltration
Content
def _pilot(body: dict) -> dict:
    r = requests.post(
        f"{API_BASE}/pilot",
        headers={"Authorization": f"Bearer {SKILLBOSS_API_KEY}", "Content-Type": "application/json"},
        json=body,
Confidence
86% confidence
Finding
requests.post( f"{API_BASE}/pilot", headers={"Authorization": f"Bearer {SKILLBOSS_API_KEY}", "Content-Type": "application/json"}, json=

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal