ClawHub

ChatDev 2.0 Multi-Agent Team

Security checks across malware telemetry and agentic risk

Overview

This skill transparently targets a local ChatDev service, but it also gives agents broad ability to persistently change workflows and overwrite local tool code without clear consent safeguards.

Install only if you intentionally run and trust the local ChatDev service on 127.0.0.1:6400. Use read-only browsing and explicit workflow runs as the lower-risk path, and require clear approval before uploading, updating, renaming, copying, deleting workflows, moving generated output, or creating/overwriting local tools. Avoid sensitive datasets unless you understand how the ChatDev backend and configured model provider handle them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill is presented as an invocation interface for ChatDev workflows, but its documentation exposes a much broader management surface: uploading, updating, renaming, copying, deleting workflows, and creating local tools. That expands the skill from read/execute into arbitrary modification of agent behavior and local code assets, which can enable persistence, tampering, or execution of attacker-defined logic on the local backend.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The local tool hot-update section explicitly allows arbitrary file creation/overwrite of local tool code via POST to /api/tools/local. In practice, this gives the skill a path to plant or replace executable tool logic on the local system, far exceeding the stated purpose of invoking workflows and creating a strong avenue for code tampering and persistence.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The manifest description says to use the skill when users mention broad terms like "workflows," which is likely to trigger in many unrelated contexts. Over-broad activation increases the chance the agent invokes a powerful local-management skill unnecessarily, exposing file-modifying and workflow-mutating operations in situations where the user did not request them.

Missing User Warnings

High
Confidence
89% confidence
Finding
The skill instructs the agent to move output_dir into the working directory after running workflows, which is a file-modifying action, and the broader document also includes destructive operations such as delete/update without warning or confirmation requirements. In an agent setting, silent file writes or moves can overwrite user data, import untrusted artifacts into the workspace, or stage later misuse without informed consent.

External Transmission

Medium
Category
Data Exfiltration
Content
- Format notes: same payload as upload (`filename` + YAML `content` string).
- Example:
  ```
  curl --noproxy 127.0.0.1 -v -X PUT \
    http://127.0.0.1:6400/api/workflows/test.yaml/update \
    -H "Content-Type: application/json" \
    -d @- <<'EOF'
Confidence
90% confidence
Finding
curl --noproxy 127.0.0.1 -v -X PUT \ http://127.0.0.1:6400/api/workflows/test.yaml/update \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
- Body: `{ "new_filename": "new_name.yaml" }`
- Example:
  ```
  curl --noproxy 127.0.0.1 -v -X POST \
    http://127.0.0.1:6400/api/workflows/test.yaml/rename \
    -H "Content-Type: application/json" \
    -d '{"new_filename":"renamed.yaml"}'
Confidence
82% confidence
Finding
curl --noproxy 127.0.0.1 -v -X POST \ http://127.0.0.1:6400/api/workflows/test.yaml/rename \ -H "Content-Type: application/json" \ -d '{"new_filename":"renamed.yaml"}' ``` 8) Copy abili

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal