ClawHub

Agent Swarm Network

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed agent networking and memory skill, but it automatically stores and restores unencrypted session context that may include secrets.

Install only if you intentionally want persistent cross-session agent memory and peer-agent communication. Audit the external Pilot Protocol binary and helper scripts, restrict ~/.pilot permissions, avoid putting secrets in sessions that may be snapshotted, manually gate or disable auto-snapshot/auto-restore where possible, and regularly review and clear ~/.pilot/inbox and ~/.pilot/received.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The manifest and high-level description present this as an agent communication skill, but the body also adds gateway IP bridging and webhook registration, which materially expand the attack surface into HTTP service exposure and outbound event forwarding. Undisclosed capabilities can cause operators or orchestrators to invoke the skill without understanding that it can expose local services or stream sensitive runtime events to another endpoint.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Gateway IP bridging maps agent services onto reachable HTTP endpoints, effectively turning an internal agent/network utility into a local service exposure mechanism. That is dangerous because it can expose sensitive model or agent interfaces to unintended local users, containers, or lateral-movement paths, especially if authentication is weak or absent on the bridged service.

Context-Inappropriate Capability

Low
Confidence
82% confidence
Finding
Webhook forwarding introduces a separate HTTP integration path that can exfiltrate operational metadata such as connection events, message/file receipt, and handshake activity to another service. In a skill framed as local agent communication, this extra outbound channel increases privacy and monitoring risk, particularly if users do not realize events may be pushed to a listener.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README promotes automatic snapshot and restore behavior but the prominent feature description does not immediately disclose that sensitive session context will be written to disk by default. In a skill explicitly designed for cross-session persistence, users may enable or use it without understanding that secrets, tokens, and private data can persist in plaintext, increasing the chance of unintended disclosure.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The invocation description uses broad triggers such as cross-session context persistence, multi-agent coordination, or context overflow handling, which can cause the skill to activate in many unrelated workflows. Because this skill can execute local binaries, write files, and use network features, over-broad activation raises the chance of sensitive actions happening without a narrowly scoped user request.

Vague Triggers

Low
Confidence
84% confidence
Finding
The manifest declares broad automatic triggers such as session start, session end, model switch, and context overflow, which can activate a skill that performs messaging, file writes, context snapshotting, and background daemon interaction without a narrowly scoped user action. In a coordination/networking skill, ambiguous auto-activation increases the chance of unintended persistence, data propagation, or network-side effects, especially when snapshots may contain sensitive context.

Ssd 3

Medium
Confidence
94% confidence
Finding
The standing orders require automatic snapshotting before session end and automatic restoration on every new session, which normalizes carrying forward prior session data by default. This is dangerous because it can persist sensitive user content across boundaries and reintroduce old context into new conversations without fresh consent or relevance checks.

Ssd 3

Medium
Confidence
90% confidence
Finding
The overflow workflow instructs the agent to extract critical information from the active context and serialize it into a transferable snapshot when context is large. That creates a built-in data exfiltration and over-retention path for whatever sensitive content happens to be in memory at the time, including secrets, personal data, or proprietary material.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal