ClawHub
Back to skill

Security audit

Crewai Multi Agent

Security checks across malware telemetry and agentic risk

Overview

The skill is not proven malware, but its advertised CrewAI identity conflicts with finance/ZVT trading workflows and execution guidance that users may not expect.

Review carefully before installing. Treat this as a mismatched finance/ZVT trading and CrewAI knowledge bundle, not a clean general CrewAI framework skill. Do not allow package installs, telemetry, persistent memory, broker/provider credentials, or trading/backtest automation unless you intentionally want that scope and can verify the generated code and data sources yourself.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The human summary is materially misaligned with the declared skill purpose: it presents a finance/ZVT quant-strategy assistant instead of a CrewAI multi-agent framework skill. This kind of capability/identity mismatch can cause users or downstream agents to invoke the skill under false assumptions, potentially triggering unintended workflows, unsafe code generation, or access to tools/data outside the expected scope.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The file is a severe semantic mismatch: the advertised skill is a CrewAI multi-agent framework, but the actual artifact is a finance/ZVT trading and backtesting blueprint with execution rules, package installs, and strategy-generation logic. This kind of bait-and-switch is dangerous because it can cause an agent or user to invoke code paths, install dependencies, and handle data under false assumptions about the skill’s purpose and risk profile.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The user-facing use cases advertise unrelated domains like marketing, recruiting, games, CV matching, and email automation, while the execution logic and constraints are for quant trading and ZVT workflows. This broad deceptive surface can trick routing systems or users into enabling a high-risk financial skill in contexts where they expected harmless content automation.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The post-install message mixes A-share quant-trading positioning with a capability catalog of unrelated CrewAI demos, creating misleading post-install guidance. That increases the chance of unsafe invocation, incorrect trust decisions, and accidental enablement of a trading-oriented skill by users who believe they installed a general-purpose orchestration helper.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The human summary claims finance/ZVT assistance while listing unrelated use cases, which makes the skill’s scope ambiguous at first contact. In a security-sensitive agent environment, misleading summaries increase the risk of misrouting, overbroad user consent, and execution of workflows the user did not intend to authorize.

Natural-Language Policy Violations

Medium
Confidence
80% confidence
Finding
The summary instructs the agent to automatically translate content into the detected user locale on first contact without explicit user choice. While not severe on its own, automatic locale inference can lead to incorrect assumptions about user preferences and may expose sensitive contextual inference or reduce transparency about how the system is transforming content.

Vague Triggers

High
Confidence
96% confidence
Finding
Broad positive terms like 'strategy', 'email', 'manager', and 'batch' create overmatching that can spuriously activate this skill for unrelated user requests. Because this skill includes installation recipes, execution flow, and financial/trading behaviors, accidental invocation materially raises the chance of unintended actions or unsafe guidance.

Vague Triggers

High
Confidence
97% confidence
Finding
The execute trigger combines intent matching with extremely common verbs like 'run' and 'execute', making activation easy to satisfy accidentally. In the context of a misleading, high-complexity skill, that ambiguity increases the risk of unintended execution preparation, dependency installation, or state transitions without informed user intent.

Ssd 3

High
Confidence
95% confidence
Finding
The file explicitly normalizes telemetry transmission and memory retention of agent or workflow data, including opt-out telemetry behavior and shared business-context payloads under some settings. In an agent skill, especially one touching potentially sensitive financial workflows, default persistence and transmission meaningfully increase privacy, compliance, and data-exposure risk.

Ssd 3

Medium
Confidence
90% confidence
Finding
The memory defaults and persistence assumptions encourage storing user/task information beyond the immediate interaction, with provider defaults and recall behavior baked into the design. Persistent memory is risky in shared or long-lived agent contexts because it can retain sensitive prompts, derived data, or cross-session state without clear minimization boundaries.

Ssd 3

High
Confidence
96% confidence
Finding
Implicit aggregation of all prior task outputs creates a cross-step data-leak channel where downstream agents receive more context than necessary. In multi-agent workflows this violates least-privilege principles, increases prompt injection blast radius, and can expose sensitive intermediate outputs to agents or tools that do not need them.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal