ClawHub

Skill Kannaka Constellation

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly transparent, but it mixes status monitoring with commands that can join an external swarm, publish agent state, and apply memory-health changes.

Review before installing if you only want read-only status checks. Use the status commands with care, and only run join, sync, listen --auto-sync, peer brief, or health --apply when you intentionally want the agent to communicate with the external swarm or modify memory-related state.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The manifest and description frame this as a status-monitoring skill, but the body includes commands that can alter system and network state, such as joining the swarm, syncing, listening with auto-sync, and applying memory-health actions. This mismatch can cause an orchestrator or user to invoke a seemingly read-only skill in situations where side effects are unexpected, increasing the chance of unauthorized network participation or state changes.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill includes active participation features like swarm join, manual synchronization, live listening with auto-sync, and a health command with an apply mode, none of which are necessary for basic status monitoring. In a skill expected to provide visibility only, these capabilities expand the attack surface by enabling outbound connections, publication of agent state, and potentially modifying memory-related data or distributed system behavior.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The document says not to use this skill for memory-specific operations, yet it exposes `kannaka swarm health [--apply]`, which is described as running the memory immune system and performing reversible actions. That contradiction makes it easier for users or automation to trigger memory-affecting behavior through a skill that claims such operations are out of scope, undermining safety boundaries between skills.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The manifest uses broad automatic activation phrases like 'what's connected' and 'all services,' which can overlap with many benign troubleshooting or inventory requests. Because this skill also contains networked and state-changing operations, broad routing increases the risk that it is selected in contexts where a safer, narrower, read-only skill should have been used.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The swarm join command connects to an external NATS server, announces the agent, and begins publishing phase states, but the documentation does not clearly warn that this transmits identity and operational data off-host. In a skill that may auto-activate for generic status questions, lack of disclosure makes unintended data egress and external enrollment more likely.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal