ClawHub

ollama-task-orchestrator

Security checks across malware telemetry and agentic risk

Overview

This skill openly controls a remote Ollama worker, but it gives agents broad SSH-based file, process, and shell-command authority without strong guardrails.

Install only on a dedicated, low-privilege worker account you are comfortable letting an agent control. Avoid shared or production machines, keep `ALLOW_NL_EXEC` disabled, consider removing or blocking `ollama run exec`, review writes before use, avoid putting secrets in `AGENT.md`, and pin/review the source before updating.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (13)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
remote_command = command
        else:
            remote_command = shlex.join(command)
        result = subprocess.run(
            ["ssh", self.worker_host, remote_command],
            capture_output=True,
            text=True,
Confidence
95% confidence
Finding
result = subprocess.run( ["ssh", self.worker_host, remote_command], capture_output=True, text=True, )

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The documentation explicitly instructs an agent to execute remote SSH commands on a worker machine and even suggests using `queue_status.sh clean --force` to clear locks. While this appears operational rather than malicious, it grants the agent authority to perform remote actions and potentially disruptive state changes beyond passive code generation, increasing the blast radius if prompts are misused or the worker is shared.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The help text explicitly states that natural-language requests are routed 'safely', but the implementation can route NL input to the exec action and ultimately run arbitrary shell commands. This is dangerous because it misleads operators into trusting a high-risk interface and can cause unsafe use in automation or by less-privileged users who would not otherwise invoke raw shell execution.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The documentation tells the agent to write generated output directly to a specified file path without warning about overwrite, path targeting, or review requirements. In an agent context, direct file writes can modify source code or sensitive files unexpectedly, especially if the path or instruction is influenced by untrusted input.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Recommending `queue_status.sh clean --force` without warning normalizes a potentially disruptive administrative action that can break synchronization guarantees or interfere with other jobs on the worker. In a multi-user or automated setting, force-clearing locks can corrupt workflow state, cause overlapping runs, or destroy evidence of an in-progress task.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README explicitly advertises that agents can write files and execute arbitrary shell commands on a remote worker via SSH, but it does not provide a prominent warning about the security and operational risks. In an agent skill context, this is dangerous because users may enable the skill without understanding that prompts can directly change files or affect system state on the worker machine.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly exposes `ollama run exec <command>` to run arbitrary shell commands on a remote worker over SSH, but the description provides no warning, restriction, or safety boundary. In an agent setting, this materially increases the chance of command injection, destructive system actions, or unauthorized access to data on the worker machine.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The `write` task allows generated content to be written directly to a file, but the skill description does not warn that it can modify user or project data. In practice, an agent could overwrite source files, introduce malicious code, or corrupt important artifacts without the user understanding the risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documented `clean --kill-ollama` behavior can stop and restart the Ollama server to cancel active generation, which is a disruptive administrative action. Without a prominent warning, users or agents may unintentionally terminate active work, causing denial of service, loss of in-progress results, or interruption of other users' tasks.

Missing User Warnings

High
Confidence
99% confidence
Finding
When the routed action is exec, the script prints the command and immediately calls run_exec, which uses eval without any confirmation, review, or policy enforcement at execution time. In a natural-language interface, this creates a direct path from ambiguous or manipulated user input to arbitrary code execution on the host.

Ssd 3

Medium
Confidence
89% confidence
Finding
The script prepends the full contents of PROJECTS_DIR/DEFAULT_PROJECT/AGENT.md to prompts sent to Ollama whenever DEFAULT_PROJECT is set. That means project context can be disclosed in plain language responses or exposed to whatever service OLLAMA_URL points to, which becomes especially risky if the context file contains secrets, internal instructions, or sensitive operational data.

Ssd 1

Medium
Confidence
91% confidence
Finding
The fallback router delegates action selection to an LLM using a prompt that embeds the raw user request and relies on natural-language instructions for safety constraints. Because LLMs can be influenced by prompt injection or adversarial phrasing in the embedded request, the router may misclassify actions, including steering toward more dangerous behaviors if exec is enabled.

Session Persistence

Medium
Category
Rogue Agent
Content
An [OpenClaw](https://openclaw.ai) skill that lets your AI agents queue and execute tasks on a local Ollama instance running on a worker Mac (or any machine accessible via SSH).

Agents can check Ollama's queue health, run code generation tasks, write files, run tests, or execute arbitrary shell commands — all through a simple `ollama status` / `ollama run` interface.

---
Confidence
81% confidence
Finding
write files, run tests, or execute arbitrary shell commands — all through a simple `ollama status` / `ollama run` interface. --- ## Features - **Queue status** — check if Ollama is idle, busy, or h

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal