ClawHub

Openclaw Skill Parallel Tasks

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly coherent, but it should be reviewed because it can launch multiple local agent sessions and its task text handling may let task content change spawned Hermes CLI options.

Install only if you understand that this skill can start multiple local Hermes agent sessions at once. Use explicit, trusted task lists, avoid account-changing or destructive operations, and avoid concurrent writes to shared files unless you have reviewed the tasks carefully. The maintainer should pass Hermes arguments as a structured array instead of building and splitting a command string.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The skill definition uses broad activation phrases such as 'parallel execution', 'concurrent tasks', and 'wants multiple independent tasks done simultaneously,' which can cause the skill to trigger in situations where the user did not explicitly request this capability. Because the skill is designed to spawn multiple tasks in parallel, accidental activation can amplify actions, resource consumption, and side effects across several subtasks at once.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The README lists 'Read/write multiple files at once' as an ideal use case without any warning, scope limitation, or requirement for user confirmation. In the context of a parallel-execution skill, encouraging concurrent file writes increases the chance of unintended data modification, race conditions, and broad impact if the wrong tasks are launched or misinterpreted.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal