ClawHub
Back to skill

Security audit

Multi-Agent Orchestrator

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only skill for coordinating multiple agents; it can lead to code changes and command execution, but those capabilities are disclosed, purpose-aligned, and paired with scoping guidance.

Install this only if you want your agent to coordinate multi-agent work. Use it on a branch or sandbox, review the execution plan first, limit each agent's files and tools, block secrets, and require explicit approval before Bash, deployment, rollback, or broad file changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README promotes parallel codebase refactoring, file locking, and coordinated agent execution as a turnkey workflow, but it does not warn that these patterns can modify many files quickly or trigger high-impact actions if the agent has write or execution tools. In a skill specifically designed to orchestrate multiple agents over a shared codebase, omission of safety boundaries increases the chance of accidental large-scale changes, unsafe tool use, or execution of unreviewed outputs.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The deployment and infrastructure examples normalize using an agent pipeline for lint, test, build, deploy, and verify without warning that these actions can affect live systems, credentials, cloud resources, or production availability. Because this skill is expressly about orchestrating multiple agents, it amplifies operational risk: one unsafe prompt or misconfigured toolchain could cascade into real infrastructure changes faster than a single agent would.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The testing stage tells an agent to write tests and run them, which can lead to execution of generated or modified code without any safety boundary, sandboxing, or approval step. In a multi-agent orchestration skill, this is more dangerous because earlier stages may have produced untrusted code, and the pipeline normalizes automatic execution as part of the workflow.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.