ClawHub

Agent Onboarding 1.0

Security checks across malware telemetry and agentic risk

Overview

This onboarding skill is mostly coherent, but it embeds shared folder tokens and instructs agents to create local config files and recurring cron jobs without clear user approval or removal guidance.

Install only if you trust the publisher and the shared workspace context. Before use, remove or rotate the embedded folder tokens, require confirmation before any _config file writes, and approve each cron job with a clear way to inspect and remove it later.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger keywords and intent patterns are broad and include common collaboration terms such as '接入', '加入协作', and 'onboarding', which can cause the skill to activate in benign conversations unrelated to explicit onboarding requests. In this skill's context, accidental activation is more dangerous because the workflow leads to configuration changes, cron registration, and access-related actions rather than read-only guidance.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill directs the agent to create a local '_config/' directory and maintain files like 'skills-index.md' and 'cron-config.md' without any user-facing notice or approval step. Silent workspace modification is risky because it changes local state, may overwrite existing files, and can persist operational metadata without the user's informed consent.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill instructs agents to register recurring cron jobs at fixed times, creating persistent scheduled behavior without any warning or consent mechanism. This is especially dangerous because cron establishes ongoing execution beyond the initial interaction, potentially causing repeated network access, file modification, or coordination activity that the user did not knowingly authorize.

Missing User Warnings

High
Confidence
99% confidence
Finding
The document exposes what appear to be shared folder access tokens directly in the skill content, effectively treating sensitive identifiers as public configuration. If these tokens grant access to shared storage, anyone with the skill text may reuse them for unauthorized discovery, access, or modification of organizational data.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal