ClawHub

swarm-executor

Security checks across malware telemetry and agentic risk

Overview

This is a coherent multi-agent coordination skill with deployment and dependency cautions, but no evidence of hidden, destructive, or deceptive behavior.

Install as a coordination library, not as a hardened production control plane. Configure explicit max token limits if relying on budget enforcement, do not let untrusted agents choose privileged IDs like 001, and only run the compose stack after reviewing exposed ports, Redis/Grafana passwords, image pinning, and node-exporter host mounts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (17)

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The code embeds a hidden authorization bypass by allowing canceller_id == "001" to cancel any negotiation regardless of normal ownership checks. In a multi-agent coordination system, hard-coded privileged identities are dangerous because they are undocumented, difficult to audit, and can be abused if agent IDs are spoofable or if callers can invoke this method with arbitrary IDs.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The code documents percentage-based tier quotas but does not actually enforce them when max_tokens is unset; can_use() returns true in that case, so the configured percentages are effectively informational only. In a swarm coordinator, this can break budget isolation and allow a high-cost tier to consume unlimited tokens, causing quota bypass, cost overruns, and degraded service behavior rather than direct code execution.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The node-exporter service mounts sensitive host filesystems (/proc, /sys, and /) read-only into the container, which exposes broad host telemetry and filesystem metadata to that service. While common for infrastructure monitoring, this exceeds the core swarm-coordination function and increases blast radius if the container, image, or exposed metrics endpoint is compromised.

Unpinned Dependencies

Low
Category
Supply Chain
Content
redis>=4.5.0
jsonschema>=4.17.0
pydantic>=2.0.0
fastapi>=0.104.0
Confidence
97% confidence
Finding
redis>=4.5.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
redis>=4.5.0
jsonschema>=4.17.0
pydantic>=2.0.0
fastapi>=0.104.0
uvicorn>=0.24.0
Confidence
97% confidence
Finding
jsonschema>=4.17.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
redis>=4.5.0
jsonschema>=4.17.0
pydantic>=2.0.0
fastapi>=0.104.0
uvicorn>=0.24.0
python-dotenv>=1.0.0
Confidence
98% confidence
Finding
pydantic>=2.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
redis>=4.5.0
jsonschema>=4.17.0
pydantic>=2.0.0
fastapi>=0.104.0
uvicorn>=0.24.0
python-dotenv>=1.0.0
pytest>=7.4.0
Confidence
98% confidence
Finding
fastapi>=0.104.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
jsonschema>=4.17.0
pydantic>=2.0.0
fastapi>=0.104.0
uvicorn>=0.24.0
python-dotenv>=1.0.0
pytest>=7.4.0
pytest-asyncio>=0.21.0
Confidence
98% confidence
Finding
uvicorn>=0.24.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
pydantic>=2.0.0
fastapi>=0.104.0
uvicorn>=0.24.0
python-dotenv>=1.0.0
pytest>=7.4.0
pytest-asyncio>=0.21.0
pytest-cov>=4.1.0
Confidence
95% confidence
Finding
python-dotenv>=1.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
fastapi>=0.104.0
uvicorn>=0.24.0
python-dotenv>=1.0.0
pytest>=7.4.0
pytest-asyncio>=0.21.0
pytest-cov>=4.1.0
Confidence
90% confidence
Finding
pytest>=7.4.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
uvicorn>=0.24.0
python-dotenv>=1.0.0
pytest>=7.4.0
pytest-asyncio>=0.21.0
pytest-cov>=4.1.0
Confidence
90% confidence
Finding
pytest-asyncio>=0.21.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
python-dotenv>=1.0.0
pytest>=7.4.0
pytest-asyncio>=0.21.0
pytest-cov>=4.1.0
Confidence
90% confidence
Finding
pytest-cov>=4.1.0

Known Vulnerable Dependency: redis — 4 advisory(ies): CVE-2023-28858 (redis-py Race Condition vulnerability); CVE-2023-28859 (redis-py Race Condition due to incomplete fix); CVE-2023-28858 (redis-py before 4.5.3, as used in ChatGPT and other products, leaves a connectio) +1 more

High
Category
Supply Chain
Confidence
99% confidence
Finding
redis

Known Vulnerable Dependency: pydantic — 3 advisory(ies): CVE-2021-29510 (Use of "infinity" as an input to datetime and date fields causes infinite loop i); CVE-2024-3772 (Pydantic regular expression denial of service); CVE-2021-29510 (Pydantic is a data validation and settings management using Python type hinting.)

High
Category
Supply Chain
Confidence
97% confidence
Finding
pydantic

Known Vulnerable Dependency: fastapi — 3 advisory(ies): CVE-2021-32677 (Cross-Site Request Forgery (CSRF) in FastAPI); CVE-2021-32677 (FastAPI is a web framework for building APIs with Python 3.6+ based on standard ); CVE-2024-24762 (FastAPI is a web framework for building APIs with Python 3.8+ based on standard )

High
Category
Supply Chain
Confidence
96% confidence
Finding
fastapi

Known Vulnerable Dependency: uvicorn — 4 advisory(ies): CVE-2020-7694 (Log injection in uvicorn); CVE-2020-7695 (HTTP response splitting in uvicorn); CVE-2020-7694 (This affects all versions of package uvicorn. The request logger provided by the) +1 more

High
Category
Supply Chain
Confidence
97% confidence
Finding
uvicorn

Known Vulnerable Dependency: python-dotenv — 1 advisory(ies): CVE-2026-28684 (python-dotenv: Symlink following in set_key allows arbitrary file overwrite via )

Low
Category
Supply Chain
Confidence
72% confidence
Finding
python-dotenv

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal