ClawHub

Dev Team

Security checks across malware telemetry and agentic risk

Overview

This skill is for development automation, but it defaults to launching coding agents with broad local and GitHub authority while retaining prompts and logs, so it needs careful review before installation.

Install only in an isolated development environment with repositories and credentials you are comfortable exposing to spawned coding agents. Do not run it on sensitive home directories, shared machines, or production systems. Avoid enabling ENABLE_LOCAL_ACTIONS unless the dev-board is bound to trusted localhost-only access, review logs before sharing them, and treat GitHub/Feishu posting plus prompt/log retention as data egress and storage risks.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • System Prompt LeakageDirect Leakage, Indirect Extraction, Tool-Based Exfiltration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (17)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
wrapped_cmd = f"cd {shlex.quote(worktree)} && {command_shell} 2>&1 | tee -a {shlex.quote(log_file)}"
            else:
                wrapped_cmd = f"cd {shlex.quote(worktree)} && {command_shell}"
            proc = subprocess.run(
                ["tmux", "new-session", "-d", "-s", session, wrapped_cmd],
                capture_output=True,
                text=True,
Confidence
99% confidence
Finding
proc = subprocess.run( ["tmux", "new-session", "-d", "-s", session, wrapped_cmd], capture_output=True, text=True, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if not os.path.isabs(launch_script):
                launch_script = os.path.abspath(os.path.join(tasks_dir, launch_script))
            if os.path.exists(launch_script):
                proc = subprocess.run(
                    ["tmux", "new-session", "-d", "-s", session, f"bash {shlex.quote(launch_script)}"],
                    capture_output=True,
                    text=True,
Confidence
86% confidence
Finding
proc = subprocess.run( ["tmux", "new-session", "-d", "-s", session, f"bash {shlex.quote(launch_script)}"], capture_output=True,

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The Gemini agent is presented as a design/specification assistant, but it is granted powerful capabilities including shell execution and arbitrary file read/write. In a multi-agent orchestration skill, this mismatch can cause operators or routing logic to trust the agent with low-risk tasks while it actually has broad system and repository access, increasing the chance of prompt-triggered command execution, file tampering, or data exfiltration.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The API is not limited to passive monitoring: when ENABLE_LOCAL_ACTIONS=1, unauthenticated HTTP endpoints can trigger local shell scripts for cleanup, AI review, fixup, and agent checks. Although actions are allowlisted and some inputs are validated, this still exposes privileged local orchestration capabilities over HTTP with no authentication, authorization, or CSRF protection visible in this file.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The log endpoints expose raw task logs and orchestrator logs over HTTP without any access control in this file. Those logs can contain repository paths, branch names, tokens, command output, internal errors, or other sensitive operational data, so an attacker who can reach the service may gain substantial reconnaissance or secret leakage.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The script launches external coding agents with explicit sandbox/approval bypass flags such as `codex exec --dangerously-bypass-approvals-and-sandbox` and `claude --dangerously-skip-permissions`. Because the prompt is user-supplied and the skill’s role is orchestration, this gives spawned agents unrestricted ability to read, modify, or exfiltrate local data and operate outside normal safety controls.

Missing User Warnings

High
Confidence
98% confidence
Finding
The documentation explicitly instructs operators to run agent CLIs with `--dangerously-bypass-approvals-and-sandbox` and `--dangerously-skip-permissions` without prominent risk warnings, scoping restrictions, or compensating controls. In a skill that spawns autonomous coding agents, this materially increases the chance of unreviewed command execution, filesystem modification, credential exposure, and destructive git or network actions, especially because the same skill also automates PR, review, and cleanup workflows.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The reference explicitly documents dangerous flags such as approval/sandbox bypass and permission-skipping options without any safety guidance, constraints, or warning about their consequences. In a skill meant to orchestrate coding agents, this materially increases the chance that operators or downstream automation will launch agents with reduced safeguards, enabling unintended code execution, file modification, or policy bypass.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The recommended Cursor examples normalize use of force mode together with code-modifying behavior, but do not warn that the workspace may be changed automatically. Because this skill coordinates automated development agents, such examples can be copied into real workflows and lead to silent or overly broad modifications, especially when combined with other automation around git worktrees and multi-agent execution.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation states that notifications are sent through Feishu/OpenClaw by default, but it does not explicitly warn users that monitoring data may be transmitted to an external messaging platform. In an agent-orchestration skill, those notifications could include repository status, task metadata, or other operational details, so silent external delivery creates a real data-leakage risk.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script automatically invokes cleanup, prune, queue sync, and queue history pruning scripts immediately after checking agents, with only minimal console output and no explicit confirmation. In a dev-team orchestration skill, these follow-on scripts likely modify or delete worktrees, task history, or queue state, so an operator running a routine status check may trigger unintended destructive maintenance actions.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The UI exposes backend-triggered operational actions such as AI review and fixup through simple POST requests, while only some actions receive explicit user confirmation. In this dev-team orchestration context, these actions can alter code, trigger reviews, or affect repositories/worktrees, so weak disclosure and inconsistent confirmation increase the chance of accidental or socially engineered execution of sensitive operations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script invokes external coding/review agents with `codex exec --dangerously-bypass-approvals-and-sandbox` and `claude --dangerously-skip-permissions`, while feeding them PR metadata and diff content. In a multi-agent development orchestration skill, this removes local safety barriers for untrusted model/tool execution and can expose the repo or host environment to unintended file access, command execution, or data exfiltration if the reviewer CLI follows unsafe tool-use paths or is prompt-influenced by code under review.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script automatically posts reviewer-generated comments and an aggregate summary to GitHub unless `--no-post` is supplied, but it does not prominently warn that locally generated outputs, including summaries derived from diff content and file paths, will be transmitted to an external service. In this skill context, reviews are produced by multiple agent CLIs and may include hallucinated sensitive details, internal paths, or excerpts from proprietary code, creating a confidentiality and data-governance risk.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The script silently performs one-time migration by moving runtime files and the `logs/` directory into `assets/` during a setup check. In a development orchestration skill, this can unexpectedly alter state, break tooling that still expects old paths, or hide operational data, especially because it happens automatically rather than as a separate explicit migration step.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script stores the full user prompt in `active-tasks.json` without warning, making potentially sensitive instructions, secrets, tokens, proprietary code snippets, or internal URLs persist in plaintext metadata. In a multi-agent development environment, that broadens exposure to other tools, users, backup systems, and later processing.

Ssd 3

Medium
Confidence
95% confidence
Finding
The script not only records the full prompt in task metadata but also pipes agent output to log files, creating a durable plaintext leakage path for sensitive input and any echoed secrets. Given this skill orchestrates multiple coding agents and logs centrally, the operational context makes prompt leakage more dangerous rather than less.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal