ClawHub

Workflow Automator

Security checks across malware telemetry and agentic risk

Overview

This is a powerful unattended workflow automation skill, not clear malware, but it can run approved shell, browser, messaging, and scheduled actions with persistent local data.

Install only if you trust the publisher and are comfortable reviewing every workflow plan before approval. Use restricted_mode, allowed_sites, short approval TTLs, max-runs, and clear_session for risky workflows; avoid banking, payment, admin, or sensitive accounts; and regularly purge sessions, screenshots, and run logs because command output may contain sensitive data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script advertised as a schedule checker also traverses the sessions directory and deletes browser session state older than 7 days. This creates hidden destructive behavior in a heartbeat job that may run every minute, so a routine schedule check can silently invalidate authenticated browser workflows and remove data outside the core purpose of the script.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The header comment claims the script only checks schedules and outputs matching plans, but the implementation also performs destructive cleanup of session artifacts. This mismatch is dangerous because operators and reviewers may grant the script broader trust than warranted, causing unnoticed deletion when invoked automatically by cron.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The invocation scope is extremely broad, covering file processing, messaging, browser automation, scraping, scheduling, and multi-step execution from plain-English requests. Overbroad routing language increases the chance this skill is selected for generic tasks where high-risk capabilities are unnecessary, expanding exposure to command execution, network calls, and persistent automation.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Marketing-style language like 'You describe it once. I run it forever.' encourages autonomous long-lived execution without clearly surfacing safety boundaries at invocation time. In a skill that can run shell commands, browse sites, and send messages, ambiguous trigger phrasing increases the risk of accidental or overly permissive use.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The guide explicitly states that login sessions, cookies, and local storage persist across scheduled runs, but it does not warn users about the privacy and security consequences of retaining authenticated state. In a workflow automation skill that logs into third-party services and runs unattended, persistent sessions increase the risk of unauthorized access, cross-task data exposure, and long-lived compromise if the managed profile is accessed by another workflow, user, or attacker.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The deletion happens inline with no direct warning, confirmation, or dry-run behavior for the destructive path, even though this script is intended for unattended cron execution. In the skill context, that makes the issue more dangerous because authenticated browser sessions can be removed automatically and repeatedly without the user realizing why workflows broke.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The `purge-workflow` subcommand performs irreversible deletion of workflow-specific schedules, approvals, sessions, runs, and screenshots without any confirmation prompt or `--force` gate. In a skill designed to automate workflows, this increases the risk of accidental or agent-triggered destructive actions against persistent user data, especially because session data may include browser auth state.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script persists up to 50 lines of stdout and all stderr from executed steps into per-run JSON logs under a predictable directory, with no redaction or opt-in control. Because this skill executes arbitrary workflow commands and browser actions, those outputs can easily contain secrets, personal data, access tokens, query results, or internal error details that become stored at rest beyond the original execution context.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
step-number    Step number to execute (1-based)

Options:
  --autonomous           Skip user confirmation (for scheduled runs).
                         Verifies plan approval hash before executing.
                         Blocks if plan was modified since approval.
  --screenshot-dir PATH  Override screenshot directory
Confidence
81% confidence
Finding
Skip user confirmation

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal