ClawHub

Restart Safe Workflow

Security checks across malware telemetry and agentic risk

Overview

This restart helper is mostly transparent about what it does, but it can run plan-supplied shell commands and scripts during restart recovery, which is broader and riskier than a narrowly safe restart workflow.

Install only if you trust the agents and operators who can provide --next or --tasks-file input. Review every queued action before running, keep ACTION_ALLOWLIST_FILE extremely narrow, avoid command/script actions from untrusted plans, and monitor ./state/restart logs after detached runs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This is a true issue: despite being presented as a 'safe gateway restart workflow', the script accepts user/task-provided continuation actions that can execute shell commands and scripts after restart. That creates a capability mismatch and can turn a narrowly scoped operational helper into a general post-restart code execution mechanism, which is especially risky because restart workflows often run with elevated operational privileges.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
Supporting an external tasks file broadens the tool from a restart orchestrator into a generic task-plan executor. Even if action types are partially validated, this expands attack surface by allowing complex, externally supplied workflows to be loaded and executed under the authority of the restart script.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The command action path reaches `bash -lc "$action_cmd"`, meaning the skill can execute shell commands derived from task input. Although there is an allowlist, it is prefix-based and optionally replaced by an external allowlist file, so this still introduces dangerous shell execution semantics into a workflow whose stated purpose is safe restart and notification.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The script action executes a path from task data via `bash -lc "$action_path"`, effectively allowing execution of local scripts as part of resume actions. Path-prefix checks reduce but do not eliminate risk, because any writable or compromised script in the allowed directory becomes executable through this workflow, enabling privilege abuse or persistence.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal