ClawHub

Subagent Development

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed development-workflow helper that coordinates subagents for planned coding tasks, with no artifact-backed evidence of hidden persistence, exfiltration, or destructive behavior.

Install this only if you want an agent to make code changes, run tests, create commits, and coordinate reviewer subagents for an implementation plan. Prefer the ClawHub install path or a pinned trusted repository source, and use it on a branch or workspace where automated code edits and commits are acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The manifest description says the skill should be used when 'executing implementation plans with independent tasks in the current session,' which is a relatively broad condition and may overlap with many ordinary development workflows. It does not give explicit trigger phrases, boundary conditions, or negative examples to clarify when this skill should not activate beyond the brief high-level description.

Session Persistence

Medium
Category
Rogue Agent
Content
From your project root:

```bash
mkdir -p .cursor/skills
cp -r ~/.ai-skills/skills/meta/subagent-development .cursor/skills/subagent-development
```
Confidence
60% confidence
Finding
mkdir -p .cursor/skills cp -r ~/.ai-skills/skills/meta/subagent-development .cursor/skills/subagent-development ``` #### Cursor (global) ```bash mkdir -p ~/.cursor/skills cp -r ~/.ai-skills/skills/m

Session Persistence

Medium
Category
Rogue Agent
Content
"Mark task complete in TodoWrite" [shape=box];
    }

    "Read plan, extract all tasks with full text, note context, create TodoWrite" [shape=box];
    "More tasks remain?" [shape=diamond];
    "Dispatch final code reviewer subagent for entire implementation" [shape=box];
    "Use superpowers:finishing-a-development-branch" [shape=box style=filled fillcolor=lightgreen];
Confidence
60% confidence
Finding
create TodoWrite" [shape=box]; "More tasks remain?" [shape=diamond]; "Dispatch final code reviewer subagent for entire implementation" [shape=box]; "Use superpowers:finishing-a-development

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal