ClawHub
Back to skill

Security audit

Project Orchestrator

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a legitimate project-orchestration tool, but it exposes powerful unauthenticated project, indexing, deletion, and agent-execution capabilities that need careful review before installation.

Install only in a trusted local or isolated environment. Change the default Neo4j and Meilisearch secrets, avoid exposing port 8080 or the database/search ports to untrusted networks, restrict which directories are synced or watched, and treat chat_send_message and deletion tools as privileged actions that should require explicit user control.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (34)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill advertises powerful capabilities including environment-variable access, MCP integration, networking, and shell execution, but does not declare permissions or constraints. In an agent setting, this reduces transparency and can cause the skill to be granted or exercised with more authority than a reviewer expects, increasing the chance of unintended command execution, data access, or outbound communication.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The documented description frames the skill as a code/project orchestrator, but the behavior summary indicates substantially broader functionality, including subprocess orchestration, streaming chat, persistent history, webhooks, WebSockets, and large MCP tool exposure. This mismatch is dangerous because users and automated policy systems may trust or approve the skill for a narrower purpose while it actually enables much wider control, persistence, and data movement.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The document explicitly states that the API has no authentication while exposing broad administrative capabilities such as creating, modifying, syncing, and deleting projects, workspaces, notes, watchers, and index data. In the context of an agent orchestration skill that centralizes codebase context and project state, unauthenticated access enables complete compromise of integrity and confidentiality for all managed data.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The internal event bridge accepts an arbitrary `CrudEvent` payload and immediately broadcasts it on the shared event bus, with no authentication, authorization, origin validation, or integrity check visible in this handler. If this route is reachable by anything other than a fully trusted internal caller, an attacker could inject fake create/update/delete events and trigger downstream automation, cache invalidation, or state changes across the orchestrator.

Description-Behavior Mismatch

Medium
Confidence
83% confidence
Finding
The binary is documented as an MCP stdio server, but it also instantiates an EventNotifier that forwards events to an HTTP endpoint configured by MCP_HTTP_URL. That creates an additional network egress channel beyond the stated role, which can leak project content, prompts, or metadata to another service if operators are unaware or if the endpoint is misconfigured.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code explicitly sets `PermissionMode::BypassPermissions` for both the oneshot prompt-refinement client and session clients, removing the normal safety gate before tool use or other privileged actions. In this skill, the spawned client is connected to an MCP server that exposes project orchestration capabilities and receives sensitive backend credentials, so unrestricted execution materially increases the blast radius of prompt injection, model misbehavior, or malicious user input.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The manager injects live Neo4j and Meilisearch credentials into the MCP subprocess environment, giving the child process direct access to core data stores. Any compromise of the MCP server, the spawned client, or a tool invocation path could expose or misuse these credentials for data exfiltration, tampering, or broader lateral movement.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The handler exposes direct message submission to a chat manager with caller-controlled message, cwd, project_slug, and model, effectively turning this MCP surface into a generic agent-execution entrypoint. In an orchestrator skill, this is more dangerous because it can invoke downstream agent behavior outside the narrowly stated orchestration/search/graph role, potentially enabling prompt injection, unintended tool use, or execution against sensitive working directories if higher layers do not strictly constrain the chat subsystem.

Context-Inappropriate Capability

High
Confidence
83% confidence
Finding
The manifest exposes a direct message-sending capability that includes a caller-controlled working directory and resumes or creates sessions, indicating the orchestrator can drive an underlying coding/chat runtime. In an agent skill focused on orchestration and shared context, this materially expands capability and can become a confused-deputy or unintended code-execution surface if not tightly authorized and sandboxed by the implementation.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README explicitly promotes code indexing, semantic search, shared knowledge storage, and auto-sync to backend services, but it does not warn users that proprietary source code, architectural metadata, plans, and decisions may be transmitted to and stored in Neo4j/Meilisearch. In a multi-agent orchestration product, that omission can cause unsafe deployment into environments with sensitive code or regulated data, leading to accidental data exposure, retention, or compliance violations.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The documentation publishes default credentials and API keys, including a fixed Neo4j password and Meilisearch key, without prominently warning users to rotate them before deployment. If the service is exposed beyond localhost, attackers can authenticate with known defaults, access indexed code and decisions, alter data, or pivot further into the environment.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation presents project deletion as a routine action without warning about irreversible destruction or recommending confirmation. In an agentic environment, this increases the chance that a model or operator triggers destructive actions unintentionally, causing loss of project metadata and associated records.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Workspace deletion is described tersely and does not clearly communicate downstream effects on project associations and related data. For orchestration tools used by agents, lack of safety guidance around destructive actions materially raises the risk of accidental state corruption or disruptive coordination failures.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
Resource deletion is documented without any warning about permanent removal or effects on linked projects. Because resources represent shared contracts or specs, accidental deletion could break cross-project coordination and mislead downstream agents that depend on this metadata.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
Deleting components without warning about topology and dependency impact is dangerous in a system that models deployment relationships. An agent could remove a component and silently invalidate dependency graphs, workspace topology, and planning context used by other tools.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
Filesystem sync and watch operations can expose sensitive code, secrets, or unrelated files if pointed at broad paths, yet the documentation gives no privacy or system-impact warning. In an orchestration skill, agents may autonomously choose directories, so omission of guardrails increases the likelihood of over-collection and unintended monitoring.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
Knowledge note deletion is documented as a simple operation without caution about permanent loss of contextual guidance. Since notes feed agent context and graph propagation, accidental deletion could degrade decision quality, remove security guidance, or erase institutional knowledge relied on by future tasks.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The orphan cleanup tool performs destructive deletion in the search index and is documented without explicit caution or confirmation guidance. In agent-driven use, this can cause silent loss of indexed documents and reduced search/context quality if invoked incorrectly or against misclassified data.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The API reference documents destructive operations like project deletion, including deletion of all associated data, without warnings, confirmations, or cautionary guidance. In an orchestration platform used by agents and humans, undocumented destructive behavior increases the chance of accidental or automated misuse leading to data loss.

Missing User Warnings

High
Confidence
98% confidence
Finding
The documentation normalizes unauthenticated API usage without any privacy, integrity, or exposure warning. Because this API handles project metadata, code-search results, notes, topology, and mutation endpoints, users may deploy it insecurely and expose sensitive operational and codebase context to unauthorized parties.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The guide tells users to register and sync a local codebase, and notes that parsing and indexing occur, but it does not clearly warn that potentially sensitive source code, symbols, paths, and metadata will be ingested into Neo4j and Meilisearch. In a developer tool that operates on arbitrary local repositories, this can lead users to unintentionally index proprietary or secret-bearing content into backend services they may not have secured appropriately.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guide exposes a destructive `delete_project` capability in the tool list, and although the table notes it deletes associated data, it does not add an explicit warning about irreversible data loss, confirmation expectations, or safe-use guidance. In an agent-orchestration context where users may issue natural-language commands, under-warning destructive actions increases the chance of accidental deletion of project metadata, plans, tasks, and linked records.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation encourages `sync_project`, `sync_directory`, and file-watching workflows that scan local directories, but it does not warn users that source code, secrets in files, proprietary content, or large directory trees may be indexed into Neo4j/Meilisearch and continuously monitored. In this skill's context, that omission is more dangerous because the tool is explicitly designed for broad codebase ingestion and multi-agent access, amplifying privacy, confidentiality, and resource-usage risks.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The documentation includes concrete credentials and API keys in a copy-pasteable configuration example, which encourages users to deploy default secrets unchanged. If these example values are accepted by local or shared deployments, attackers or other local users could access Neo4j or Meilisearch, exposing project data and orchestrator context. The skill context increases risk because this integration is for an IDE-connected orchestration system with broad tooling and shared project knowledge, so weak/default credentials can expose sensitive code intelligence and task metadata.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The documentation embeds concrete database and search-service credentials directly in copy-pasteable SDK examples, but does not clearly warn that these are placeholders that must be changed and should not be committed or reused. In an agent-orchestration context, users may paste these values into live configs, normalize hardcoded secrets in source code, or inadvertently deploy default credentials, increasing the risk of unauthorized access to Neo4j or Meilisearch.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal