ClawHub

结构化任务规划与分步执行 V2(异步子代理架构)

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly a disclosed task orchestrator, but it needs Review because it can spawn background work, manage cron jobs, read global session history, and perform under-scoped cleanup actions.

Install only if you are comfortable with a skill that can create subagents, schedule recurring heartbeat jobs, inspect OpenClaw session history, and perform cleanup that may terminate work or delete task records. Use explicit /stp-style invocation, review plans carefully before confirming, avoid sensitive prompts, and do not enable task-directory deletion unless losing those task artifacts is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (7)

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
This skill authorizes host-level process termination by parsing PIDs from session history and issuing kill commands. If PID extraction is wrong, stale, or manipulable, the skill could terminate unrelated processes and cause denial of service or data loss on the host.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill creates and deletes persistent cron jobs for background heartbeat execution, which gives it ongoing host scheduling capability beyond simple task planning. Persistence mechanisms increase the blast radius of misconfiguration or abuse, especially if jobs remain after failures or are triggered with broad privileges.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The orchestrator reads global session metadata and session files from ~/.openclaw/agents/main/sessions rather than restricting itself to its own task workspace. In a multi-task or multi-user environment, this creates cross-task information exposure and allows one skill instance to inspect activity and message history belonging to unrelated agent sessions.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
This skill directly manages platform cron jobs via the openclaw CLI, giving the skill authority beyond its local task files. In skill context, creating recurring jobs is sensitive because it can create persistence, unintended background activity, and platform-side side effects if task orchestration is abused or invoked unexpectedly.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The interrupt path claims to terminate active subagents, but it only updates local state and returns identifiers for someone else to kill later. This mismatch is dangerous because operators may believe work has stopped while child agents continue running, potentially executing actions, consuming resources, or modifying data after an alleged interrupt.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases include broad terms like '任务规划' and '步骤执行', which are generic enough to match ordinary conversation and unintentionally activate a high-privilege orchestration skill. Because this skill can spawn subagents, write files, and manage background execution, accidental invocation is more dangerous than for a read-only helper.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The heartbeat flow can automatically delete the entire task directory based on plan content, without a confirmation step at deletion time. In this orchestration context, that risks unintended data loss, especially because task plans are parsed from files and the deletion is triggered by background automation rather than an immediate user action.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal