ClawHub

Autonomous Agent

Security checks across malware telemetry and agentic risk

Overview

This is an openly autonomous-agent framework, but it needs Review because it can inspect broad local system state and offers autonomous execution without clearly enforced user controls.

Install only if you intentionally want an experimental autonomous-agent framework. Keep it in assisted or manual mode, do not connect it to sensitive write-capable tools or production credentials, and define explicit monitored paths, retention limits, and approval rules before enabling monitoring or autonomous execution.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (13)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The metrics collector gathers host-wide CPU, memory, disk, and process-count data for the entire machine rather than limiting telemetry to the agent or skill itself. In an autonomous-agent skill, this expands visibility into the user's environment beyond what is necessary for event monitoring and creates unnecessary privacy and fingerprinting risk if the data is logged, exposed to handlers, or transmitted elsewhere.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The timeout mechanism is non-functional because the daemon thread raises TimeoutError only within itself and cannot interrupt or signal the running task. In an autonomous-agent execution layer, this can allow untrusted or buggy tasks to run indefinitely, causing denial of service, thread exhaustion, and loss of control despite the API claiming timeout enforcement.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
This is a real logic flaw: the code computes a downgraded or upgraded final_action based on confidence, but leaves requires_approval tied to the original base_decision['approval']. That can produce inconsistent states such as an execution action marked as requiring approval, or approval workflows making decisions based on the wrong flag, which is especially risky in an autonomous-agent framework where downstream components may rely on either field to authorize execution.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The method is named and documented as executing a correction action, but it always returns a hard-coded success result with fabricated before/after metrics and marks the correction as completed. In an autonomous-agent framework, other components may trust this output to make follow-up decisions, creating a false sense of remediation, masking failures, and corrupting operational telemetry or audit data.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The code scans broad log locations such as /var/log and local ./logs, then parses and retains lines containing error-related keywords. This exceeds the narrow needs of state awareness for an autonomous-agent skill and can collect sensitive system or application data unrelated to the agent, increasing privacy exposure and unnecessary data access.

Context-Inappropriate Capability

Low
Confidence
85% confidence
Finding
The memory usage routine recursively walks the memory directory and returns recent file paths, sizes, and modification times. Exposing full paths and metadata can leak internal structure or sensitive filenames, especially if summaries are surfaced to other components or users.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill describes monitoring user activity and learning from user preferences and patterns without an explicit privacy notice, retention policy, or consent model. In an autonomous agent context, this is more dangerous because continuous perception and reflection can accumulate behavioral profiles over time, increasing privacy and surveillance risks.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill references external API connectivity and diverse data sources without warning that local or learned data may be transmitted off-system. For an autonomous framework with monitoring and memory features, undisclosed network egress can expose sensitive telemetry, logs, preferences, or configuration data to third parties.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The agent has a fully autonomous execution path that runs recommended actions automatically when mode is set to FULLY_AUTONOMOUS, with no user confirmation, approval gate, or visible warning in this file. In an autonomous-agent framework, this increases the chance that misclassified tasks, unsafe recommendations, or manipulated inputs lead directly to real actions being executed without human review.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
Starting heartbeat and event monitoring without a clear user-facing disclosure can result in silent collection of system events and state data. Even if intended for agent operation, undisclosed monitoring creates privacy, transparency, and trust risks, especially because this framework is explicitly designed for independent operation and continuous perception.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The user activity monitor records session timing, interaction counts, and per-interaction details without any notice, consent, or minimization controls. In an autonomous-agent context, this behavior can quietly build behavioral profiles of the user's activity, which is privacy-sensitive and can become more dangerous if combined with other collected events.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The system monitoring component collects host performance data without a clear user-facing disclosure, which creates unnecessary privacy exposure even if the data seems operational. While lower risk than direct credential or code-execution issues, it still increases environmental visibility and may reveal usage patterns or system characteristics that are unrelated to the core user task.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The state capture routine aggregates user- and system-related data from logs, configuration files, installed skills, and memory directories without any visible consent, notice, or scoping controls. In an autonomous-agent context, silent collection of this breadth of data increases privacy and surveillance risk because the component is designed for recurring state capture and historical retention.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal