ClawHub

ACP Orchestrator

Security checks across malware telemetry and agentic risk

Overview

This skill openly documents a terminal agent orchestrator; it can run powerful workflows, but the reviewed artifacts do not show hidden or malicious behavior.

Install only if you intend to coordinate terminal AI agents. Review any task file before running batch or parallel modes, avoid untrusted prompts or flags like yolo-style no-confirm execution, and verify the external acpx npm package and optional agent CLIs because their runtime code is not included in this reviewed skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The README explicitly promotes batch and parallel execution from task files, direct passthrough execution, and session kill operations, but provides no warning that these features can trigger arbitrary or destructive actions depending on task-file contents or user-supplied prompts. In an agent-orchestration skill, normalizing unattended or bulk execution increases the chance of unsafe command propagation, accidental destructive operations, or misuse in environments where agents have shell or file-system access.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill documents batch and parallel execution of commands sourced from a task file on disk, but it provides no warning that each line may invoke arbitrary agent commands and potentially unsafe flags. In an agent-orchestration context, this increases the risk of users running unreviewed task files that trigger unintended actions, mass execution, or dangerous agent behaviors at scale.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal