ClawHub

Milestone Execution

Security checks across malware telemetry and agentic risk

Overview

This skill is a staged task runner, but it gives agents broad session and file-changing authority while leaving important execution and control details unclear.

Install only if you are comfortable with an agent spawning work sessions and modifying files in the current workspace. Use it in a controlled project directory, check for an existing .milestone-state.json before starting, and avoid the parallel milestone feature until the package includes the documented executor and clearer session/state ownership rules.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill claims a single work session model, but later instructs parallel execution across multiple work sessions. This inconsistency can break assumptions about isolation, authorization, and state ownership, causing commands or status updates to be sent to the wrong session or multiple sessions concurrently without clear control boundaries.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The later 'single session' rule contradicts the earlier parallel-execution guidance, creating ambiguous control flow and undefined precedence between instructions. In a session-management skill, such contradictions are dangerous because they can lead to orphaned sessions, incorrect rollback targets, or accidental continuation/stoppage of the wrong execution context.

Vague Triggers

Medium
Confidence
89% confidence
Finding
Using broad trigger words like '开始', '继续', or '停下' without a strict invocation boundary makes accidental activation likely during ordinary conversation. In a skill that can spawn sessions, alter state, and send control messages, unintended triggering can initiate or modify task execution without clear user intent.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The command table defines several single-word commands with no scope, target validation, or contextual restrictions. This is risky because ambiguous commands can be interpreted outside the intended workflow and may affect the wrong workSessionKey or perform privileged state transitions without adequate disambiguation.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal