Back to skill

Security audit

Clawhub Select

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it claims: enable peer task negotiation, with disclosed relay use, local persistence, and a background listener.

Install this only if you want agent-to-agent negotiation through an external relay and are comfortable with a background listener plus local commitment records. Use trusted peers, avoid putting secrets in proposals or handoffs, and protect the skills/claw-diplomat directory, especially diplomat.key.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The natural-language triggers include broad everyday phrases like 'propose to', 'check in on', and 'connect with', which can cause the skill to activate during unrelated user conversations. In a skill that can initiate network connections, write persistent files, and start negotiation flows, unintended activation increases the risk of accidental outbound actions or socially engineered workflow entry points.

Natural-Language Policy Violations

Medium
Confidence
92% confidence
Finding
The hook is explicitly designed to run on every human message, which creates an always-on monitoring path over workspace state and causes unsolicited notifications to be generated continuously. Even though this file mainly reads local files and displays status, the broad trigger scope increases privacy exposure, user manipulation surface, and the chance of notification spam or prompt-style social engineering via attacker-controlled display data from MEMORY.md, ledger.json, or pending_approvals.json.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.exposed_secret_literal

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
hooks/diplomat-gateway/handler.ts:76

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
negotiate.py:489