ClawHub

coding-agent

Security checks across malware telemetry and agentic risk

Overview

This is a real coding-agent delegation skill, but it normalizes unsandboxed or approval-bypassing agent runs and external side effects that users should review carefully.

Install only if you intentionally want agents to run coding tasks that may read and modify repositories and use your local CLI credentials. Prefer sandboxed modes, avoid --yolo and bypassPermissions unless you explicitly trust the repo and provider, use temp clones or worktrees, set timeouts for background jobs, and manually review diffs, GitHub comments, pushes, and PRs before publishing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill says agents must never be started in the OpenClaw workspace, yet it instructs appending an `openclaw system event` completion command. That creates contradictory guidance and normalizes invoking platform-specific commands from delegated agents, which can leak control outside the intended project scope or trigger host-side actions unexpectedly.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The completion hook explicitly tells the spawned agent to run `openclaw system event ...` when done, despite earlier rules forbidding agent use in the OpenClaw workspace. Even if not run from that workspace, this still grants the delegated agent instructions to execute an external control-plane command, expanding its authority beyond code editing into platform interaction.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The guidance recommends `claude --permission-mode bypassPermissions --print` without an immediate, explicit warning that this disables normal confirmation safeguards. In a skill whose purpose is to launch coding agents against repositories, documenting permission bypass as standard practice materially increases the chance of unreviewed file changes, command execution, or access beyond user expectations.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The examples normalize `--full-auto` and especially `--yolo` modes, including descriptions such as 'no sandbox, no approvals,' but do not pair them with a strong safety warning or approval requirement. This is dangerous because the skill is effectively teaching operators to launch autonomous agents that can make repository changes and run commands without meaningful review.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This workflow chains `pnpm install`, autonomous agent execution, commit, push, PR creation, and cleanup as a background pattern, but does not require explicit user confirmation for those side effects. In combination with `--yolo`, it creates a high-risk path for supply-chain execution, code changes, and remote repository mutation with minimal oversight.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal