ClawHub

MagicHaqi Operator

Security checks across malware telemetry and agentic risk

Overview

This owner-focused MagicHaqi operator is not malicious, but it deserves Review because it combines autonomous recurring operation, URL-token login, persistent local state, and unclear telemetry handling.

Install only for the MagicHaqi owner/developer environment. Treat the URL token as a secret, avoid sharing screenshots or logs that include it, review what sdk.remoteLog exposes before enabling analytics, and periodically inspect or clear the agent/ state, journal, audit, marketing, and memory outputs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The playbook instructs login via a URL containing a raw token parameter (`MagicHaqi.html?token=<TOKEN>&agent=haqi-operator`) without any guidance on protecting, redacting, or avoiding token exposure. Tokens embedded in URLs can leak through browser history, logs, screenshots, referrers, copied links, or audit artifacts, which is especially risky in a long-running autonomous operator that also reads and writes local logs.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The task explicitly instructs the agent to modify local workspace state by writing to `agent/ops-state.json` and appending to `agent/ops-journal.log`, but provides no user notice, confirmation boundary, or safeguard around persistent state changes. In this skill's context, the agent is designed to run autonomously and maintain its own state, which makes silent file mutation more dangerous because it can continuously alter logs and operational data without an explicit approval checkpoint.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
Referencing `sdk.remoteLog` as a telemetry source without any privacy, access-control, or data-handling guidance can cause the agent to ingest or propagate remote operational data whose scope and sensitivity are unclear. In an autonomous operator skill that already aggregates activity and makes decisions, this broadens the data surface and increases the risk of unintended collection, retention, or disclosure of telemetry.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The task explicitly instructs the agent to use `say` to save a persistent memory line, but provides no disclosure, retention guidance, or constraint on what may be stored. Even though this is framed as an internal demo/ops workflow, persistent memory creation can accumulate sensitive or unnecessary data over time and may later be reused in stories or screenshots without clear review.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal