ClawHub

Xiaodi Multi Team System

Security checks across malware telemetry and agentic risk

Overview

This is not clearly malicious, but it needs review because it combines automatic multi-agent routing with command execution, browser/web access, sensitive finance and office workflows, and weak safeguards.

Install only if you are comfortable with a broad multi-agent skill that can route requests automatically and use web, browser, memory, file, and command-execution capabilities. Do not rely on its financial ratings or price targets without independent real market data, avoid sharing sensitive account details or private documents, and do not point media outputs at irreplaceable files unless overwrite behavior is constrained.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (35)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The pricing-specialist is granted the exec tool even though its declared role is pricing, profit calculation, and competitor price tracking. Unnecessary code-execution capability violates least privilege and could be abused through prompt injection, task misrouting, or compromised workflow inputs to run arbitrary commands or scripts.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The data-analyst has exec alongside read/write and external data access, which creates a stronger path from untrusted input to arbitrary code execution. In a multi-agent e-commerce system that ingests web data and generates reports, this broad capability increases the chance that malicious content or indirect prompt injection could trigger command execution or unsafe local processing.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The ad-specialist is intended for advertising optimization and budget analysis, but it is also given exec without clear justification. That excess privilege enables arbitrary command or script execution if the agent is manipulated by malicious ad data, web content, or task instructions, expanding the blast radius beyond ad management.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The 'business-opportunity-analyst' is granted the exec tool and a local script entrypoint despite this manifest only describing financial analysis tasks such as technical analysis and signal generation. Shell or script execution creates a code-execution surface that can be abused through prompt injection, unsafe script arguments, or compromised downstream data, enabling arbitrary local actions beyond the stated business purpose.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The module advertises full stock analysis, including sentiment analysis, but the core engine uses hardcoded mock prices, fixed valuation inputs, and fabricated news instead of real market data. In a financial-analysis skill, this can mislead users into trusting outputs as if they were evidence-based, potentially driving unsafe investment decisions under false pretenses.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The document-manager is granted the exec tool even though its declared responsibilities are limited to document formatting, conversion, and archival. In a multi-agent office workflow, this creates unnecessary command-execution capability that could be abused by prompt injection in documents or by compromised task routing to run arbitrary local commands, expanding impact from document handling to full host-side actions.

Description-Behavior Mismatch

Medium
Confidence
83% confidence
Finding
The manifest presents the skill as a narrow office secretary team, but the declared scripts and features expand into generalized coordination, workflow orchestration, message-bus communication, and mindmap generation. This mismatch can mislead reviewers and users about the true operational scope, increasing the chance that broader capabilities are granted access to sensitive office data or automation privileges without appropriate scrutiny.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The generated HTML unconditionally loads JavaScript from a third-party CDN, which introduces network dependency and a supply-chain trust boundary that is not necessary for local mind-map generation. If the CDN content is unavailable or compromised, opening the generated file can fail or execute attacker-controlled script in the user's browser context.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The README states that the Switcher 'automatically routes to the right team' but does not define boundaries, confirmation steps, or exclusions for higher-risk domains such as finance, browser use, or command execution. In a multi-agent system with exec and browser capabilities, broad implicit routing can cause sensitive or impactful actions to be initiated from ambiguous user prompts without adequate user awareness or gating.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README advertises powerful tools including web_search, exec, and browser, plus media-processing binaries, but gives no warning about their ability to access external systems, process local data, or perform side-effecting actions. In this skill context, that omission is significant because the system spans financial, e-commerce, media, and office workflows, increasing the chance that users expose sensitive data or trigger impactful operations without understanding the risk.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The example trigger phrases are broad natural-language requests such as arranging meetings, organizing documents, or analyzing investments, which can overlap with ordinary conversation and cause unintended activation. In this skill, accidental routing is more sensitive because the skill requests powerful capabilities like exec, browser, and web access across multiple domains, increasing the chance of unintended actions or data exposure.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The example trigger phrases are very broad, natural-language requests that overlap with ordinary e-commerce conversations. In an agent-routing or auto-invocation environment, this can cause unintended activation of the skill and execution of monitoring, analysis, or content-generation actions without clear user intent boundaries.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README advertises competitor monitoring and data collection/report generation capabilities but provides no guidance on acceptable data sources, privacy constraints, platform terms, or legal/compliance limits. This omission increases the risk that users or downstream agents will collect third-party or personal data in ways that violate platform policies or privacy expectations.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The example trigger uses ordinary user phrasing like '帮我选品' without any explicit invocation boundary, making accidental or overly broad skill activation more likely. In a multi-agent system with browser and web-search capabilities, this can cause the agent to take e-commerce actions or gather external data when the user did not clearly intend to invoke this specialized skill.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill is described with very broad capabilities like product research, competitor monitoring, profit calculation, and listing generation, but it does not define invocation scope, user consent requirements, or task boundaries. This increases the chance that a router or agent framework will apply the skill too aggressively, potentially initiating scraping-like behavior or sensitive business analysis without sufficiently explicit user intent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill promotes daily scheduled competitor price tracking and discount monitoring but does not prominently warn about privacy implications, website terms of service, rate limits, or the operational impact of ongoing monitoring. In context, this is more concerning because the skill explicitly requires browser and web-fetch tools and later suggests proxy rotation, which can facilitate non-compliant or abusive collection practices.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The skill exposes very broad natural-language invocation examples such as stock analysis, portfolio diagnosis, industry research, and asset allocation without defining clear activation boundaries, disallowed contexts, or confirmation requirements. In a multi-skill environment, this can cause over-triggering or misrouting of user requests into a finance-oriented workflow, increasing the chance of unsolicited financial guidance, inappropriate tool use, or handling sensitive portfolio data when the user did not explicitly intend to invoke this skill.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The prompt explicitly instructs the agent to analyze customers' historical trading records and detect behavioral patterns, which involves sensitive financial data profiling. It also directs the agent to produce concrete buy/sell/hold and position-sizing advice without requiring suitability checks, consent language, privacy handling, or strong risk disclosures, creating material privacy, compliance, and financial-harm risk.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The manifest defines workflows, agents, and tools but does not specify when this financial team may be invoked or what user intents, asset classes, or safety preconditions must be met. In a multi-team system, missing activation boundaries increases the chance of over-broad routing, unintended handling of sensitive financial requests, and execution of higher-risk tools in contexts the user did not authorize.

Natural-Language Policy Violations

Medium
Confidence
86% confidence
Finding
The setting 'default_market': 'A股' hard-codes a market context without explicit user selection. This can cause the system to analyze the wrong market, fetch irrelevant data sources, or produce unsuitable financial guidance, which is especially risky in an investment-oriented skill where jurisdiction, exchange, and instrument context materially affect outputs.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill advertises AI video generation through multiple third-party providers but does not disclose that user prompts, uploaded media, or related metadata may be transmitted to external services. In a multimedia workflow, users may submit sensitive images, videos, or business content, so the lack of a clear privacy and data-transfer warning can lead to unintended data exposure and compliance issues.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Multiple roles are granted write and exec capabilities, and the coordinator can orchestrate them, but the manifest provides no user-facing consent, warning, or safety boundary around file modification and subprocess execution. In a media-processing skill, this increases the risk of unexpected file changes, unsafe command execution paths in downstream scripts, and overly permissive automation if triggered on untrusted inputs.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script invokes ffmpeg with the '-y' flag, which forces overwriting any existing output file without prompting. Because the output path is partly user-controlled via '--output' and otherwise derived automatically, a user can unintentionally destroy existing files, making this a real safety issue even though it is not code execution.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script invokes ffmpeg with the -y flag, which unconditionally overwrites the destination file if it already exists. Because the output path is user-controlled via --output and the default path is predictable, this can cause accidental data loss or destruction of an existing file without any confirmation, especially in automated workflows or shared environments.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The README advertises handling emails, documents, schedules, and meeting records, all of which can contain sensitive personal, business, or confidential information, but provides no notice about data access, retention, permissions, or external system effects. This omission can lead users to expose sensitive content without understanding privacy implications or operational risks such as modifying calendars, processing mail, or generating records from confidential meetings.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal