ClawHub

Frugal Orchestrator

Security checks across malware telemetry and agentic risk

Overview

This orchestration skill largely matches its stated purpose, but it includes high-impact automation that can run shell/script tasks and push repository changes without clear safeguards.

Review before installing or scheduling. Only run batch manifests and router-generated commands you trust, avoid attaching sensitive context files to delegation, and do not run phase5_automation.sh unless you are comfortable with it committing and pushing metrics/log-related files to your configured Git remote.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
self.rate_limiter.acquire()
                
                use_shell = isinstance(task.command, str)
                proc = subprocess.run(
                    task.command if use_shell else task.command.split(),
                    capture_output=True,
                    text=True,
Confidence
99% confidence
Finding
proc = subprocess.run( task.command if use_shell else task.command.split(), capture_output=True, text=True,

subprocess module call

Medium
Category
Dangerous Code Execution
Content
self.rate_limiter.acquire()
                
                cmd = [sys.executable, str(task.script_path)] + task.script_args
                proc = subprocess.run(
                    cmd,
                    capture_output=True,
                    text=True,
Confidence
89% confidence
Finding
proc = subprocess.run( cmd, capture_output=True, text=True, timeout=300 )

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly advertises automatic routing to terminal commands, script execution, and cron-style scheduling, but it does not warn users that using the skill may trigger shell execution, code execution, or recurring tasks. In an agent-skill context, missing these disclosures increases the chance that users or calling agents invoke high-risk behavior without informed consent, which can lead to unintended system changes, persistence, or abuse of privileged execution paths.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The router extracts any URL-like substring from untrusted task text and turns it directly into a curl command. In an agent/orchestrator context, this can trigger unintended outbound network access, enabling SSRF-style access to internal resources, data exfiltration, or contact with attacker-controlled hosts without any approval or safety gating.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Returning a generic fallback of 'bash -c <command>' normalizes shell execution as an acceptable route for ambiguous system tasks. In a larger agent pipeline, this creates a dangerous sink where downstream components may substitute user-controlled text into a shell invocation, leading to arbitrary command execution or unsafe automation without explicit review.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script forwards the supplied task and, if the third argument is a valid file path, the entire contents of that context file to a subordinate agent without any consent prompt, redaction, or visibility controls. In an agent skill, this can leak sensitive prompts, secrets, or local file contents to another execution context, especially because the context path is dereferenced and embedded automatically.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The script persistently logs task metadata, including profile, timestamp, session ID, estimated token burn, and a snippet of the task, into tokens.json, and also updates project-wide metrics files, without notifying the user. Although the logging is local, it creates an unannounced data-retention surface that may expose sensitive task details to other users, processes, or later tooling.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
_log_failure persists task type, classified error type, and up to 200 characters of the raw error message to a fixed log file on disk without sanitization, redaction, access-control handling, or user consent. In an orchestrator context, errors often contain prompts, paths, tokens, stack traces, or other sensitive operational data, so local log files can become a secondary disclosure surface.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script performs git push origin main automatically with no user confirmation, dry-run, or safeguard. In an automation context, this can publish generated artifacts or unintended repository state to a remote branch, causing unauthorized disclosure or integrity issues if the script runs in the wrong environment or on malformed data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal