ClawHub

Agent Orchestrator

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it says: coordinate multiple OpenClaw agents, with disclosed local state and safety controls.

Install this only if you want multi-agent orchestration and accept the extra token use and spawned sessions. Avoid putting secrets or sensitive documents in task text, keep ORCHESTRATOR_SAFE_STATE enabled, review outputs before acting on them, and remove local .*_state.json files when they are no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill advertises and relies on operational capabilities such as session spawning and orchestration of multiple agents, while the package metadata does not declare any permissions despite static analysis detecting env, file, network, and shell-like capabilities. This creates a trust and review gap: users and policy systems may approve the skill based on incomplete metadata, then the skill can perform broader actions than expected through its implementation.

Description-Behavior Mismatch

Low
Confidence
94% confidence
Finding
The router persists task routing history, including user task text-derived reasoning and metadata, to a local state file by default. In an agent orchestration context, tasks may contain sensitive prompts, internal business data, credentials, or incident details, so undisclosed persistence expands the data exposure surface beyond simple in-memory routing.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Routing history is written to disk without any user-facing notice or consent, and the saved history includes reasoning and metadata derived from user tasks. Because this skill is specifically designed to process arbitrary incoming tasks, it is reasonably likely to handle sensitive operational or personal data, making silent local persistence a meaningful confidentiality risk.

Missing User Warnings

Low
Confidence
94% confidence
Finding
The test plan explicitly includes shell substitution `$(cat very_long_document.txt)` to ingest a local file into a CLI task. Even though this appears in documentation/tests rather than executable code, it normalizes reading arbitrary local file contents into the agent workflow without any warning about exposing sensitive data in prompts, logs, or downstream model processing. In a multi-agent orchestration skill, that context slightly increases risk because the content may be propagated across multiple workers and verbose logging paths.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The code persists agent tasks, session IDs, error text, and output previews to a local state file. Even in safe mode this is only partial redaction based on pattern matching, so sensitive prompts, proprietary data, or credentials that do not match the regexes may be written to disk and later exposed to other local users, backups, or logs.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal