ClawHub

Inter Agent Communication

Security checks across malware telemetry and agentic risk

Overview

This skill is for agent-to-agent messaging, but it also preserves long-lived agent sessions through shell-based session management without clear approval, expiry, or cleanup limits.

Install only if you intentionally want agents to create and preserve subagent communication sessions. Require confirmation before spawning or protecting sessions, verify the target agent before sending private context, validate or restrict session keys, and make sure there is a documented way to list and clean up protected sessions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The documented use of exec to run `openclaw sessions cleanup --active-key ... --enforce` introduces shell-command execution into a skill whose stated purpose is inter-agent messaging. Even though the example looks fixed-purpose, any shell execution increases the attack surface, bypasses normal tool constraints, and enables system-side effects that are disproportionate to the communication use case.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The manifest describes a communication workflow based on sessions_spawn, but the instructions add out-of-band session lifecycle manipulation through a shell command. This discrepancy can mislead operators and reviewers about the skill's real privileges and side effects, making risky behavior easier to deploy without appropriate scrutiny.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The helper exposes a generic shell execution path via `exec()` to perform session protection, even though the module’s stated purpose is cross-agent communication. Although `sessionKey` is quoted, this still broadens the skill’s privilege surface and creates avoidable command-construction risk if `sessionKey` is attacker-controlled or shell escaping is incomplete in edge cases.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The markdown directly instructs the agent to execute a system-side command via exec without clearly warning that this affects host/session state and may persist channels beyond their default lifecycle. That omission increases the risk of unintended privileged actions, especially in environments where skill docs are followed automatically or trusted as safe operational guidance.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal