ClawHub

Squad Control

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it needs review because it gives agents recurring authority to handle GitHub tokens, spawn workers, update tasks, and merge code.

Install only on a dedicated, monitored OpenClaw instance that you intentionally allow to modify repositories and Squad Control tasks. Prefer workspace-scoped Squad Control keys, fine-grained GitHub tokens from a bot account, protected branches, required CI/reviews, and avoid the optional wake-listener flow until its script is available and reviewed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The skill earlier states that if a PR exists, the only valid transition is to set the task to review, but this later completion section allows direct completion when no reviewer exists. That contradiction can cause agents to bypass review and mark PR-backed work as done, leaving unreviewed or unmerged code treated as completed.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This section instructs the agent to automatically change task state and create follow-up tasks based on inferred conditions, but it provides no explicit confirmation, approval gate, or user-facing warning for these impactful workflow actions. In an agent skill, autonomous state transitions can be abused or misfire due to stale data, parsing errors, or adversarial task content, causing unauthorized workflow manipulation and noisy or incorrect task creation.

Missing User Warnings

High
Confidence
97% confidence
Finding
This section directs a lead/orchestrator agent to clone a repository, merge a task branch into the default branch, and push directly to origin without an approval checkpoint or branch protection awareness. In a security context, direct repository modification by automation is highly sensitive because a mistaken task classification, malicious branch content, or compromised agent token could lead to unauthorized code being merged into production branches.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The API reference documents responses that include highly sensitive fields such as `githubToken` and explicitly states that account-scoped keys can return tasks from all workspaces, but it provides no warning or handling guidance for these secrets and broader data exposure. In an agent-skill context, this is dangerous because downstream agents may log, echo, persist, or misuse these credentials and cross-workspace records, increasing the chance of credential leakage and unintended access across repositories.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The API reference explicitly includes a `githubToken` field in normal task and workspace responses, exposing repository credentials through broadly used endpoints like `/api/tasks/pending` and `/api/tasks/pickup`. In an agent skill context, this is especially dangerous because agents may log, echo, persist, or forward API responses to threads or external tools, turning task polling into credential exfiltration across workspaces when account-scoped keys are used.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal