ClawHub

Agent Harness Builder

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a coherent multi-agent planning template, but it publishes a real organization's agent roster and operational setup and includes high-impact setup guidance that users should review carefully.

Install only if you intend to design a multi-agent OpenClaw harness. Before using it, replace the Decade Strategy/Tori/Paul examples with your own sanitized placeholders, review any instructions that edit OpenClaw config or install a gateway service, and do not reuse the included Slack channel, memory, or agent-roster details as-is.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
This template embeds a real organization's agent roster, project names, role assignments, model selections, memory paths, and internal Slack channel structure rather than using sanitized placeholders. In a harness-builder skill, that creates an unnecessary data exposure and can leak internal operational topology that would help social engineering, impersonation, or targeted reconnaissance against the organization.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger criteria are intentionally expansive and include vague natural-language cues such as any mention of coordinating agents or building structure for multiple agents. In an agentic environment, this can cause the skill to activate in situations where the user did not actually request harness generation, leading to misrouting, unnecessary context expansion, and incorrect delegation behavior.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal