ClawHub

Smart Agent Workflow

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real workflow skill, but it gives agents broad memory, logging, messaging, and publishing habits that are not tightly scoped for a general install.

Install only if you want an agent workflow system that can create local memory, logs, task briefs, metrics, and reports. Before using it with sensitive work, remove or constrain the team-specific messaging, GitLab push, TAPD/Confluence, Telegram, proxy, and external AI summarization materials; also add clear opt-in, retention, review, and deletion controls for stored conversation data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The file gives conflicting retry guidance: earlier it says to stop and report after three failures, while this later section says to retry three times and then try an alternative before skipping. In an agent workflow skill, contradictory failure-handling rules can cause autonomous agents to keep acting after repeated failures, increasing the chance of unsafe repeated operations, hidden loops, or policy bypass through ambiguity.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code sends both recent conversation history and previously stored long-term memory to an external AI client for summarization. That creates a real data-exfiltration/privacy risk because potentially sensitive user content is disclosed to a third party, and the skill's methodology-oriented purpose does not clearly require remote transfer of user memory.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The document classifies `web_search` and `sessions_list` as inherently safe operations, even though they can expose prompts, metadata, or cause unintended external data disclosure depending on the agent environment. Labeling them as universally safe may suppress appropriate risk review and lead operators to perform externally scoped actions without confirmation or data-minimization checks.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The security standard includes a prescriptive workflow for `message()`-based outbound communication, which expands the skill from methodology guidance into operational control of external communications. In an agent setting, this can normalize sending data or messages to third parties and increase the chance of privacy leaks or unauthorized actions if users follow the procedure as approved behavior.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Including procedures for `git push` and `exec()` with network requests exceeds a methodology-focused skill and legitimizes high-impact operational actions inside a broadly reusable workflow document. Even though confirmations are mentioned, embedding these actions in a standard can encourage agents to treat code publication and network execution as routine, increasing the risk of exfiltration, unauthorized deployment, or irreversible changes.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The skill presents itself as applicable to 'any AI agent' and as the 'only complete methodology,' without clear activation boundaries, trust assumptions, or environmental constraints. In agent ecosystems, broad trigger language can cause over-application of the skill's instructions, increasing the chance that it influences unrelated tasks or overrides more appropriate, narrower policies.

Natural-Language Policy Violations

Medium
Confidence
88% confidence
Finding
The skill content and embedded setup instruction are in Chinese and tell the user to 'read ~/smart-agent/AGENTS.md and follow all rules' without offering locale negotiation or user opt-in. This can mislead non-Chinese-speaking operators or agents into obeying instructions they cannot fully review, weakening informed consent and increasing prompt-injection risk through imported local rule files.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The document recommends unattended cron-based execution of a compression script that can delete, merge, or move memory content, but it does not require dry-run mode, backups, confirmation, or review of the resulting changes. In an agent workflow context, memory files may contain important operating rules or context, so silent automated modification can cause data loss, degrade agent behavior, or erase safety-relevant instructions over time.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guide explicitly tells users to place Telegram bot secrets in a local .env file but provides no warning to restrict permissions, exclude the file from version control, or avoid sharing it. In a setup guide for a bot integration, this omission materially increases the chance of accidental credential disclosure through commits, backups, screenshots, or copied project folders.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The document instructs users to set http_proxy and https_proxy before running the bot, but does not explain that bot traffic and potentially sensitive Telegram/API metadata may traverse the proxy. This can expose message contents, tokens, or operational data to a local or upstream proxy controlled by a third party.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document instructs the agent to automatically append per-conversation metrics to a persistent log without any notice, consent, retention limits, or guidance to avoid storing sensitive task context. Even though the example logs mostly contain aggregate fields, the workflow normalizes automatic conversation-derived telemetry collection and could lead to inadvertent capture of sensitive metadata or user-related operational details in shared repositories or local files.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The module transmits stored memory and dialogue content to an external AI service without any visible consent, disclosure, or policy enforcement in this code path. That is a genuine privacy/security issue because users may reasonably expect local context handling, especially for a skill presented as workflow methodology rather than data-sharing infrastructure.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code persistently stores user conversation history and long-term memory on disk, but there is no visible indication of consent, retention limits beyond message trimming, encryption, or access controls. This can expose sensitive information to other local users, backups, or compromised hosts, making it a real confidentiality risk.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The line '> WARM 层,匹配项目名时加载' defines activation in a broad way that can match on any project-name similarity without clear scoping rules. In an agent skill system, ambiguous loading conditions can cause the wrong project memory to be injected into context, leading to context poisoning, leakage of unrelated project guidance, or incorrect actions based on stale or foreign instructions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs the agent to automatically generate and save a Task Brief file to `workspace-shared/tasks/` when certain conditions are met, without requiring explicit user confirmation immediately before the write. In an agent workflow skill, implicit file creation is security-relevant because it can cause unexpected persistence of possibly sensitive context, create audit noise, or modify the workspace in ways the user did not authorize for that specific session.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal