ClawHub

Reed Agent Network

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed coordination skill, but it can persistently change agent memory and shared Git state in ways that may steer future agent behavior.

Install only if you intentionally want to join this Reed AgentNetwork and trust the configured GitHub repository, Discord channel, and Reed administrator role. Before use, change git-config.json to a repo you control, review AGENT_CONSTITUTION.md, limit GitHub and Discord permissions, and require human review before accepting constitution changes or network messages as instructions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill clearly instructs reading and writing files under ~/.openclaw/shared and running shell/git/OpenClaw CLI commands, yet it declares no permissions. This creates a transparency and authorization gap: an invoking agent or user may not realize the skill can mutate shared state, send network messages, and execute shell commands with side effects.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The skill modifies a workspace-level MEMORY.md outside the narrow scope of registry synchronization and injects persistent governance content that can influence future agent behavior. In an agent environment, altering shared memory/state is security-relevant because it creates a stealthy persistence and policy-shaping mechanism beyond the user's immediate action.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The code injects organization-wide directives such as 'all agents must read this file' and 'constitution wins' into local memory files, effectively establishing cross-agent instruction precedence. That is dangerous because it can bias or override future agent decisions through persistent prompt/context manipulation, which is more severe than ordinary file editing.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The description says to use the skill for broad coordination activities, which could cause it to be invoked for many routine tasks beyond its intended high-impact admin and synchronization workflows. In this context, over-broad triggering is risky because the skill can update shared registries, rewrite memory pointers, and send cross-agent messages, amplifying unintended actions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill states that init automatically creates AGENT_CONSTITUTION.md and updates MEMORY.md with a managed block, but it does not prominently warn that running the workflow will modify both local workspace files and shared repository state. Hidden or under-signaled file mutation is dangerous because it can alter agent behavior and persistent memory without informed approval.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The sync policy directs users to run pull, modify registry, commit, and push operations to a shared Git repository, but it does not clearly foreground that these commands propagate changes to all participants and may overwrite or race with others despite retry logic. In a shared-state coordination system, silent or insufficiently warned pushes can corrupt registry state, spread bad configuration, or institutionalize malicious instructions in the constitution/memory repo.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill writes to MEMORY.md and repository files without an explicit user-facing warning, confirmation, or dry-run. Silent mutation of shared context and persistent files is risky in agent systems because users may not realize the skill is changing future execution context and repository state.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code performs clone/fetch/checkout/pull/push operations automatically, causing network and repository side effects without clear disclosure at the point of execution. In a skill context, undisclosed remote sync actions are dangerous because they can exfiltrate local changes, import untrusted remote content, and alter local state unexpectedly.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal