ClawHub

Agent Orchestrator

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed multi-agent orchestrator; its sensitive behavior is expected for that purpose and no hidden exfiltration, destructive action, or deceptive execution was found.

Install only if you want multi-agent OpenClaw workflows and accept that tasks and intermediate outputs may be sent to multiple spawned sessions. Keep tasks tightly scoped, avoid secrets or regulated data in prompts, keep ORCHESTRATOR_SAFE_STATE enabled, limit agent counts/rounds for cost and control, and review outputs before using them for code changes, deployments, publishing, or other high-impact actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill advertises orchestration features that inherently imply powerful operations such as spawning sessions, routing work, and interacting with multiple agents, while the manifest does not declare any permissions. This creates a transparency and least-privilege problem: users and security controls may underestimate the skill's access needs even though the documented commands and dependency list suggest file, shell, environment, and possibly network-capable behavior.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The full user-supplied question is embedded into expert prompts and passed to spawned sub-agent sessions, which can expose sensitive user input to additional model contexts or external orchestration layers without clear disclosure or minimization. In a multi-agent orchestration skill, this increases data propagation and privacy risk, especially if questions contain secrets, proprietary data, or regulated content.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The pipeline description is generic enough that an orchestrator could invoke it for a wide range of loosely related tasks, increasing the chance of unintended use with sensitive, proprietary, or unsafe inputs. In a multi-stage pipeline with full context passing, broad invocation criteria can amplify downstream risk because every stage may process and transform more data than necessary.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The coder trigger list uses broad terms such as 'bug', 'function', 'code', and 'implement', which can match many ordinary requests without sufficient context. In an auto-routing system, this can misclassify tasks and send them to the wrong specialist, causing incorrect handling, reduced reliability, or unsafe downstream actions if specialists have different permissions or tools.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The researcher trigger list includes generic words like 'find', 'learn', and 'explore', which appear in many unrelated user requests. This increases the chance of unintended routing and could expose tasks to the wrong agent path, especially in orchestration contexts where routed agents may have different behaviors, prompts, or tool access.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The writer trigger list contains highly generic terms such as 'write', 'document', 'content', and 'copy' that overlap with many technical, support, or analytical requests. This can cause erroneous routing and degraded system safety when the wrong specialist produces outputs or takes actions outside the user's real intent.

Vague Triggers

Medium
Confidence
91% confidence
Finding
Multiple specialist trigger lists rely on vague everyday terms like 'help', 'check', 'plan', 'fix', and 'support' without strong disambiguation, creating systemic routing ambiguity across the configuration. In a multi-agent orchestrator, this broad overlap makes misrouting more likely and compounds risk because downstream specialists may apply inappropriate prompts, tools, or automation based on an incorrect classification.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The pipeline forwards raw user input and prior stage outputs directly into newly spawned agent sessions, and the default mode is FULL context passing. In a multi-agent orchestration skill, this can expose sensitive or unnecessary data to additional agent contexts without minimization or explicit disclosure, increasing prompt-injection and data-leakage risk across stages.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code writes routing history to a predictable local state file without any notice, consent, minimization, or access controls. Because task descriptions may contain sensitive prompts, secrets, internal project details, or personal data, silent persistence can create unintended data exposure to other local users, processes, backups, or later forensic recovery.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The supervisor sends the full original task and prior step outputs directly into spawned worker prompts, which can expose sensitive user-provided content to additional agents without any explicit consent or minimization. In an orchestration skill, this broad propagation increases the attack surface for unintended disclosure, logging, retention, or reproduction of secrets across worker sessions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The default configuration persists session state to a local file (.supervisor_state.json) without runtime notice, which can silently store sensitive prompts, outputs, metadata, or workflow history on disk. This is dangerous on shared systems or developer machines where local files may be backed up, committed, or accessed by other users or processes.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The test plan explicitly validates that verbose mode captures supervisor reasoning, but it does not include any warning, redaction requirement, or logging hygiene guidance. In a multi-agent orchestration system, verbose/reasoning logs can expose sensitive task content, intermediate outputs, credentials, file contents, or hidden chain-of-thought-like internal context if operators enable debugging in real or shared environments.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The code persists session metadata and output previews to a local state file automatically, which can retain sensitive task content, agent outputs, and error text on disk. Although there is redaction and a safe mode by default, the redaction is pattern-based and incomplete, and the state file is written without access controls or explicit consent, increasing local data exposure risk in an orchestration skill that handles arbitrary user tasks.

Ssd 3

Medium
Confidence
96% confidence
Finding
Worker chaining injects the original task and previous step outputs verbatim into later prompts, so any sensitive data supplied early in the workflow can be propagated and reproduced across multiple agents. In a multi-agent orchestrator, this makes prompt-based data exfiltration and over-sharing more likely because each downstream worker receives more information than it may actually need.

Ssd 3

Medium
Confidence
95% confidence
Finding
The synthesis phase aggregates outputs from all workers into one final prompt, creating a single step that can unintentionally consolidate and reveal sensitive material gathered throughout the workflow. Because the synthesizer is instructed to integrate all outputs and resolve conflicts, it may restate secrets or private content that should have remained compartmentalized.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal