ClawHub

multi-role

Security checks across malware telemetry and agentic risk

Overview

This is a real multi-role workflow skill, but it gives agents broad file/tool authority and keeps persistent project records that users should review before installing.

Install only if you are comfortable with a workflow skill that can coordinate broad file-reading, file-editing, and sub-agent execution. Use it in a clearly scoped project directory, avoid putting secrets in prompts or logs, ask it to list files read/modified and commands run after important tasks, and periodically review or delete the sessions, task-logs, archives, and metrics files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (20)

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill grants the CTO role operational file-modification powers such as batch path replacement, even though the role is framed mainly as architectural review, technical guidance, and governance. In an agent setting, this expands authority from advisory decision-making into direct repository mutation, increasing the risk of unauthorized or overly broad changes if the role is invoked on sensitive tasks.

Intent-Code Divergence

Medium
Confidence
81% confidence
Finding
The constitution explicitly limits the role to external content work and says it must not handle internal project documentation, yet elsewhere grants file-inspection and bulk-edit shell behaviors. That creates a dangerous scope mismatch: a content role can be induced to access or modify internal artifacts under the guise of writing support, increasing the chance of unauthorized access and unintended changes.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Mandating use of exec-based commands such as ls, grep, wc, and sed gives a content-writing role operational access to enumerate, inspect, and bulk-modify files without a clear business need. Even if intended for efficiency, these capabilities materially expand the attack surface and can expose sensitive data or enable destructive edits if the role is prompted adversarially or mis-scoped.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The file gives conflicting authority and tool-use rules: one section mandates specific direct tool usage by the steward (for example using exec ls / grep / wc and read in certain cases), while a later section forbids the steward from performing any file read/write operations and requires delegation to an administrative assistant. Contradictory control rules in an agent policy are dangerous because they create ambiguity an agent can resolve inconsistently, leading to unauthorized file access, policy bypass, or unsafe delegation behavior.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The document claims to define all legal task states and transitions, but the transition table introduces an undefined intermediate state, “取消中”. This inconsistency can cause different agents or automation to implement divergent behavior around cancellation, leading to stuck tasks, invalid state handling, or bypass of termination/control logic in a governance workflow.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The file imposes a rigid Chinese-only, ultra-minimal response policy without allowing user language preference or informed opt-in. In a multi-role governance skill, this can suppress transparency, reduce user comprehension, and make it harder for users or reviewers to understand security-relevant actions, especially when the surrounding rules also discourage disclosure of operational details.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README states that the skill will automatically initialize directories, create session memory, task logs, archives, and append cross-skill metrics data, but it does not present a prominent pre-use warning or explicit opt-in for this persistent storage. This creates a real privacy and transparency risk because users may provide sensitive project, debugging, or content information without realizing it will be written to disk and retained across sessions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The specification requires every skill to append telemetry to a shared metrics file automatically, while also stating that records are permanently retained and created without manual initialization. This creates a privacy and governance risk because data is written and retained by default without explicit user notice, consent, retention limits, or access-control guidance, and the shared-file design increases the chance of cross-skill data exposure or unintended disclosure.

Natural-Language Policy Violations

Medium
Confidence
94% confidence
Finding
The skill hard-codes Chinese-language interaction and output conventions throughout the document, including mandatory reply templates and role declarations, without indicating that the skill is only intended for Chinese-speaking users or providing any language-selection mechanism. This can cause user intent mismatches, reduce operator comprehension, and create unsafe workflow errors when users or supervising agents cannot accurately understand prompts, confirmations, or constraints.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs writing detailed execution traces and logs into project paths such as sessions/{项目}/task-logs/ without any warning, consent flow, retention limit, or data-minimization rule. In agent environments, task logs often capture prompts, file paths, internal reasoning summaries, errors, and sensitive project context, so silent persistence can leak secrets, create compliance issues, and expose users to unintended long-term data retention.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The bug log template explicitly asks users to paste complete error messages, environment details, and absolute screenshot/log paths, but it provides no guardrails against recording secrets, tokens, credentials, internal hostnames, PII, or other sensitive operational data. In a shared multi-role workflow, this creates a real risk of sensitive data exposure through routine documentation, especially because such logs are retained, shared across roles, and archived.

Missing User Warnings

Low
Confidence
93% confidence
Finding
The document recommends broad `find` and `grep -r` commands across the workspace's log directories without any caution that logs may contain secrets, personal data, tokens, credentials, or other sensitive operational information. In a governance/logging standard, this normalizes unrestricted log discovery and content search, which can lead to overexposure of sensitive data to users or roles that should follow least-privilege access practices.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The SOP explicitly requires automatic writes to project memory files and says this cannot be skipped and does not require asking the user first. In an agent skill, mandatory hidden or undisclosed file modification is risky because it can cause unauthorized persistence, alter project state, and create auditability and consent problems, especially when the agent is instructed to do so before reporting completion.

Ssd 3

Medium
Confidence
92% confidence
Finding
The skill directs pervasive natural-language logging and retention of operational history, which can capture sensitive user instructions, project details, credentials, or proprietary content in persistent files. Once stored, that data can be resurfaced to later sessions, other roles, or unrelated tasks, increasing the risk of inadvertent disclosure and cross-task data leakage.

Ssd 3

Medium
Confidence
95% confidence
Finding
The mandatory memory-routing scheme requires loading and reusing persistent project memory across tasks, which normalizes long-term accumulation of user and project context. This raises the chance that sensitive material from prior interactions is unnecessarily injected into later contexts, causing privacy leaks, over-retention, and cross-context contamination.

Ssd 3

Medium
Confidence
94% confidence
Finding
The startup and workflow instructions explicitly create inboxes, session histories, archives, and task logs for ongoing retention of user/task data. In practice, this establishes a persistent data collection mechanism that may preserve sensitive requests and operational details far beyond the immediate need, making accidental disclosure or later misuse more likely.

Ssd 3

Medium
Confidence
93% confidence
Finding
The output policy tells the system to suppress details in chat but preserve them in task logs for later lookup, shifting potentially sensitive information into persistent storage rather than eliminating it. That can create a false sense of safety while actually broadening exposure if logs are later read by other sessions, roles, or operators.

Ssd 3

Medium
Confidence
95% confidence
Finding
The SOP instructs the role to inspect user historical conversations and real usage records to source 'real cases' for content creation. That is a direct privacy and data-minimization problem: a marketing/content role is being told to access potentially sensitive behavioral and conversational data that may contain secrets, personal data, or confidential business information unrelated to the current task.

Ssd 3

Medium
Confidence
96% confidence
Finding
Directing the agent to review recent user behavior and historical dialogue to obtain 'real cases' expands the role from content drafting into surveillance-like data mining. In context, this is more dangerous because the role's mission is outward-facing publication, so the accessed history could be repurposed into public content, creating a serious risk of privacy leakage, confidential disclosure, and non-consensual profiling.

Ssd 3

Medium
Confidence
95% confidence
Finding
The collaboration guidance again tells the role to review users' historical conversations and real usage before writing, reinforcing a standing permission to access sensitive prior context. Repetition across the SOP makes this more dangerous because it normalizes unnecessary access and increases the likelihood that the agent will treat broad history review as routine, not exceptional.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal