ClawHub

Workflow Orchestrator

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed workflow runner, but it can run broad local commands hands-free and has weak safety boundaries for rollback and sensitive variables.

Review every workflow file as executable code. Use validate and dry-run first, avoid workflows from untrusted sources, do not place secrets in command lines or saved output, and do not rely on rollback unless explicit reversal steps are implemented.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
            import shlex
            cmd_parts = shlex.split(command)
            result = subprocess.run(
                cmd_parts,
                shell=False,
                capture_output=True,
Confidence
93% confidence
Finding
result = subprocess.run( cmd_parts, shell=False, capture_output=True, text=True, timeout=timeout,

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill exposes shell execution capabilities through documented `python3 ... orchestrator.py` commands and arbitrary workflow `command` fields, but the metadata does not declare permissions or prominently communicate that it can execute system commands. This creates a trust and review gap: users or higher-level tooling may treat the skill as lower risk than it is, even though it can run multi-step shell workflows that perform deployment, rollback, and audit actions.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The code advertises rollback behavior but, on failure, only prints rollback log messages without undoing previously completed actions. In deployment or maintenance workflows this can leave systems in a partially applied state while operators falsely believe changes were reverted, increasing the chance of insecure or inconsistent configurations.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The description emphasizes hands-free execution of automated pipelines for deployments and maintenance, but it does not pair that capability with an explicit warning that workflows can make real system changes. In this context, the orchestrator is more dangerous because it is specifically designed to chain multiple privileged actions, increasing blast radius if a workflow is wrong, malicious, or unexpectedly parameterized.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Documenting `{env.VAR_NAME}` substitution without a privacy warning encourages direct interpolation of environment variables into shell commands, where secrets may be exposed via process arguments, logs, saved output, or audit trails. This is especially risky here because the skill also supports `save_output` and audit logging, making accidental credential disclosure more likely across multiple workflow steps.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal