ClawHub

multi-agent-team

Security checks across malware telemetry and agentic risk

Overview

The skill’s coordination and project-analysis features mostly match its stated purpose, but it needs Review because it auto-activates broadly and includes under-scoped local file scanning and write behavior.

Install only if you want a globally auto-invoked project workflow assistant. Use it on trusted workspaces, review generated code maps and project-understanding files before sharing or committing them, avoid pointing it at broad directories with secrets, and do not pass untrusted filenames to spec_tools.py until its write path is constrained.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (23)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill advertises and demonstrates shell execution plus project file read/write behaviors, but does not declare permissions. This creates a trust and review gap: operators may approve or invoke the skill believing it is low-privilege, while it can execute local scripts, scan repositories, and modify files such as docs, specs, reports, or progress artifacts.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose emphasizes role dispatch and collaboration, but the skill also performs substantially broader actions: scanning the full project, generating analysis artifacts, updating spec files, persisting progress, and invoking local scripts via subprocess. That mismatch can cause users to authorize a coordination skill without realizing it has execution and broad repository access, increasing the risk of unintended data exposure or unauthorized changes.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The examples depict the skill autonomously modifying many files, deleting files, committing code, and completing refactors, which materially expands the apparent capability beyond a simple orchestration or routing skill. Even if only illustrative, this can mislead users into granting the skill broad trust and may normalize high-impact actions without clear consent boundaries or capability disclosure.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The document claims the skill can publish hotfix versions and notify users, which are external, high-consequence actions not clearly declared in the skill description. Such claims can lead operators to over-trust the skill with deployment or communication authority, increasing the risk of unauthorized releases or misleading operational expectations.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The examples advertise additional tooling capabilities such as spec environment initialization, code map generation, and project understanding generation that go beyond the stated manifest scope of multi-agent dispatch and collaboration. This is dangerous because users and downstream systems may grant broader trust, permissions, or execution expectations to the skill than intended, increasing the risk of unauthorized file-system analysis, documentation generation, or capability creep.

Intent-Code Divergence

Low
Confidence
91% confidence
Finding
The template demonstrates a concrete default database password (`password`) while also advising that sensitive configuration should be managed via environment variables. Even in documentation, placeholder secrets that look usable can normalize insecure defaults, be copied into real deployments, and weaken security posture through credential reuse or forgotten overrides.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The tool writes collected project metadata and derived documentation to a fixed skill-internal path by default, which can persist potentially sensitive repository details in an unexpected location. In an agent setting, hidden or non-obvious writes increase the risk of unintended data retention, cross-project leakage, or later exposure through synced skill directories.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The update method joins user-controlled spec_file directly with the spec directory and then opens the resulting path for writing, without validating that the final resolved path stays inside docs/spec. An attacker can supply path traversal sequences such as ../ to overwrite arbitrary files writable by the process, which can lead to code tampering, configuration corruption, or persistence depending on where the write lands.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The examples show automatic progress persistence and substantial file modifications without any warning about local data changes, storage location sensitivity, or overwrite risk. In an agent context, normalizing silent persistence and repo modifications can cause unintended data exposure, corruption, or user surprise, especially in shared or sensitive workspaces.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document promotes fully automatic continuation, context restoration, and validation with no indication that execution may continue making changes without renewed user confirmation. In a multi-agent skill, this increases the risk of runaway autonomous actions, compounded mistakes, and unauthorized modifications after the user believes the session has paused or reached a safe checkpoint.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The Architect role is activated by broad, common phrases such as architecture review, code review, security check, and performance optimization. In a multi-agent router, this can cause unintended role selection, letting a highly privileged or expansive prompt take over conversations that were not meant for that role, which can distort outputs and weaken safety boundaries.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The Product Manager trigger list includes generic project terms like requirements review, user stories, and user experience that appear in ordinary software discussions. This makes accidental activation plausible, which can misroute tasks and cause the system to apply the wrong instruction set or authority model during execution.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The Test Expert trigger list contains broad phrases such as test plan, unit testing, and quality review that are common in normal development conversations. In a dynamic dispatch system, this can over-activate the testing persona and steer the agent into workflows, tools, or review behaviors the user did not intend.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The Solo Coder role is triggered by extremely common phrases like write code, fix bug, solve problem, and refactoring. Because these appear in everyday developer requests, the role may activate too often, potentially bypassing intended planning, review, or safer intermediary roles in the multi-agent workflow.

Natural-Language Policy Violations

Medium
Confidence
81% confidence
Finding
Forcing mixed-language interactions to the first detected language without user consent can misinterpret user intent and cause important instructions, warnings, or confirmations to be delivered in an unintended language. In a multi-agent system, that increases the chance of misunderstanding and unsafe execution, especially when task routing or approvals depend on precise wording.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The README explicitly enables autoInvoke and describes very broad natural-language routing, so the skill can trigger on ordinary development requests without clear user intent. In an agent environment, overbroad auto-activation increases the chance of unintended execution paths, surprise file access, and delegated actions across many task types.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger keywords listed for roles include generic terms such as design, test, optimize, review, implement, and documentation-related phrases, with no disambiguation rules. This makes accidental invocation likely during normal conversation, especially when combined with automated role selection and consensus behavior.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README promotes automatic project reading, code-map generation, and project understanding over arbitrary paths, but provides no privacy warning, path restrictions, or guidance on excluding secrets. In practice this can expose credentials, proprietary code, internal docs, or unrelated files if users point the tool at broad directories or if the skill auto-runs these features.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README advertises automatic reading of project documents and code and generating understanding artifacts, but it does not warn that these operations may ingest secrets, proprietary code, credentials in config files, or regulated data and then persist derived summaries to disk. In an agent skill context, this increases the chance users run broad analysis on sensitive repositories without realizing that data may be copied into generated files or model context.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README encourages running code map generation against arbitrary project paths and writing JSON/Markdown summaries, but it omits warnings that scanning a repository can expose internal structure, dependency metadata, filenames, and sensitive architectural details. These derived artifacts can become a secondary leakage channel if committed, shared, or consumed by other tools.

Vague Triggers

Medium
Confidence
83% confidence
Finding
Very broad trigger terms such as '设计', '需求', and '实现' can match many normal user requests and activate roles or workflows unintentionally. In this skill, accidental activation is more dangerous because the workflow includes project scanning, document generation, and potential shell/script execution, so a vague prompt could trigger more capability than the user intended.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code reads dependency files and copies up to 1000 characters of their contents into generated JSON/Markdown outputs without any sensitivity filtering or user warning. Dependency manifests and setup files can contain internal package names, private registries, tokens, credentials, or proprietary architecture details, so persisting their contents broadens the exposure surface.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The automatic trigger patterns are broad, generic phrases such as architecture, requirements, testing, implementation, and code review, which are common in normal developer conversations. Because autoInvoke is enabled globally, this can cause the skill to activate unintentionally across many unrelated contexts, potentially exposing project context to the wrong role workflow and causing undesired multi-agent actions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal