ClawHub

技能编排器

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only orchestration skill whose local skill discovery, subtask coordination, result sharing, and optional memory logging are disclosed and aligned with its purpose.

Install only if you are comfortable with a coordinator reading local skill metadata, optionally checking ClawHub for matching skills, passing task summaries between subtasks, and saving brief execution summaries. Keep local skill paths limited to trusted skills and avoid direct-execution or bypass modes for deployments, external side effects, sensitive data, or destructive work.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The documentation explicitly recommends a `bypassPermissions` mode that skips all approvals, which weakens an important safety control in an orchestration skill that can launch sub-agents and coordinate actions. Even if intended for benign analysis, the same mode could be selected for tasks that read sensitive data, invoke tools, or perform side effects without user confirmation.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly directs the orchestrator to persist execution-trace data, including session identifiers, task descriptions, invoked skills, conflicts, and outcome summaries, into working memory without any consent, minimization, retention, or sensitivity guidance. In a multi-skill orchestrator, these traces can reveal user intent, intermediate results, and potentially sensitive business or personal content, creating unnecessary privacy and data-retention risk.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The rule to silently proceed whenever the user says "直接执行" is overly broad and lacks exclusions for risky actions such as deployment, external API calls, personal data handling, or destructive file operations. In an orchestrator skill, this can bypass the very human approval checkpoints intended to prevent high-impact actions, making accidental or prompt-induced authorization more likely.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill description normalizes a no-approval execution path without clearly stating the security boundaries or failure modes, which can cause operators or downstream agents to overuse it. In an orchestrator, unsafe defaults are amplified because one planning error can propagate to many sub-tasks and tools.

Ssd 3

Medium
Confidence
94% confidence
Finding
Automatically injecting `previous_results_json` into every sub-agent prompt risks over-sharing sensitive data across unrelated tasks, violating least-privilege and increasing prompt exposure. In a multi-skill orchestrator, one task's secrets, internal analysis, or user-provided confidential content can be unnecessarily disclosed to many downstream agents or external integrations.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal