ClawHub

Agile Workflow

Security checks across malware telemetry and agentic risk

Overview

This workflow skill is not clearly malicious, but it can run persistent automation that starts, stops, restarts, and repairs local agents with limited user confirmation.

Install only in a dedicated OpenClaw workspace where you are comfortable with background monitors, local agent launches, process inspection/termination, automatic task-state repair, local logging/caching, and gateway restart behavior. Review the cron/nohup instructions, health-check repair behavior, cleanup scripts, and hard-coded paths before enabling it in a shared or sensitive environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (117)

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The documented purpose is an agile workflow/task orchestration engine, but the design expands into lifecycle operations such as removing legacy scripts, configs, and processes. That scope creep is dangerous because an execution-capable skill could perform destructive system changes unrelated to the user’s immediate workflow request, increasing the chance of unauthorized modification or service disruption.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The design explicitly includes stopping running processes and deleting legacy files without showing authorization checks, safety gates, or rollback controls. In an agent skill, these actions can cause denial of service, data loss, or deletion of unrelated assets if paths/process matching are overly broad or triggered in the wrong environment.

Intent-Code Divergence

Medium
Confidence
80% confidence
Finding
The manifest markets 'zero data pollution,' but the design persists assembled deliverables via saveDeliverable(), creating stored state that may contain user-generated or sensitive project content. This mismatch is risky because operators may rely on the claim and unknowingly expose data to retention, cross-task leakage, or insufficiently protected storage.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The document presents the skill as an agile collaboration workflow engine, but the implementation scope includes host-level agent lifecycle management, health monitoring, and resource control. This mismatch is security-relevant because it expands the skill from workflow orchestration into local process supervision, which increases privilege needs and attack surface beyond what a user would reasonably expect from the manifest.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The health monitoring design includes process monitoring and automatic restart of local agents, which gives the skill persistent supervisory control over local processes. If abused or misconfigured, this can keep unwanted code running, interfere with system administration, and create a self-healing persistence mechanism that is difficult for users to stop.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The task assignment and resource configuration imply authority to start, sleep, wake, and stop agent processes using configured commands such as 'node agents/chapter-writer.js'. This is dangerous because command execution tied to workflow logic can become a pathway to arbitrary or unintended process control, especially if agent names, commands, or paths are ever influenced by external input or configuration drift.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The skill branding claims 'zero data pollution' while the design explicitly performs real-time log monitoring of agents. Logs commonly contain prompts, task content, secrets, and user data, so this contradiction can mislead users about data exposure and create an unacknowledged collection channel.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The document claims 'zero data pollution' while introducing mutable in-memory caches that can persist prior values across requests. In an agent/workflow context, this can cause cross-request state bleed, stale configuration reuse, or accidental exposure of one user's derived data to another task, especially if cache keys are insufficiently scoped.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill is presented as an agile workflow engine, but it includes a cleanup routine that locates prior skill files and deletes them from the workspace. This expands capability beyond the declared purpose and creates a destructive file-management path that could remove data users did not intend to delete, especially in a shared agent workspace.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code invokes shell commands via execSync to copy and recursively delete filesystem content, including rm -rf on directories. Using shell-based destructive operations in a workflow engine materially increases risk because command execution and recursive deletion can cause irreversible loss if paths are wrong, manipulated, or broader than expected.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The comment claims 'safe removal' of old versions, but the implementation later performs forceful deletion with rm -rf and unlinkSync without interactive safeguards. This mismatch is dangerous because it can mislead reviewers and users into trusting behavior that is actually destructive and irreversible.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
The helper wraps child_process.exec and is later used to run host shell commands for process inspection and OpenClaw service queries. In an agent skill, this expands scope beyond project-local workflow health into host-level introspection, which can expose system state and create an unnecessary command-execution surface if inputs or environment become attacker-controlled.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
This code enumerates host processes with ps|grep to detect agents, which is broader than checking workflow state inside the project directory. Process-list surveillance reveals information about the host runtime and other workloads, and in a shared environment it violates least privilege for a workflow utility.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The file's operational scope includes gateway/session/process monitoring and automatic project-state repair, which materially exceeds a narrow workflow-orchestration or health-reporting role. In skill ecosystems, capability creep is risky because users may invoke the tool expecting analysis only while it reaches into host services and mutates persistent state.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The stress-test code performs real memory/session mutations and calls persistent storage routines, which can alter or pollute retained state outside a clearly isolated test environment. In a skill advertised as an agile workflow engine rather than a dedicated test harness, this creates a genuine integrity risk because executing the script may leave synthetic sessions, decisions, or long-term records in production-like storage.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
This file can generate bulk cache writes, high-volume message publication, routing activity, and integration events, which may consume resources or interfere with shared components if run in a live environment. Because the capability is embedded in a backup skill file and is not aligned with the declared business purpose, it increases the chance of accidental misuse, denial-of-service-like load, and operational data contamination.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The code invokes `pkill -f` with a pattern containing `agentType`, which gives this workflow module the ability to terminate host OS processes based on a broad command-line match. Even if `agentType` is expected to be internal, this is dangerous because pattern-based killing can impact unrelated processes and creates destructive host-level side effects beyond ordinary workflow orchestration.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The concurrency control can be bypassed after retry exhaustion because `acquireExecutionSlot` logs a forced acquisition and proceeds to create a new slot even when the per-agent limit is still exceeded. This undermines the stated serialization guarantees and can lead to race conditions, corrupted outputs, inconsistent task state, or resource exhaustion when multiple writing tasks run concurrently.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
`isAgentRunning()` returns a Promise, but `checkAgent()` uses it as if it were a boolean. In JavaScript, a Promise object is truthy, so the supervisor will usually treat agents as running and skip needed restarts. In this workflow engine context, that undermines the watchdog’s core availability guarantee and can silently stall queued work.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The file presents a detailed CONFIG_SCHEMA, but runtime validation only checks a small subset of fields and does not enforce the declared structure. This can allow malformed or unexpected configuration values to be accepted, weakening assumptions elsewhere in the system and potentially enabling unsafe runtime behavior, denial of service, or misconfiguration of security-relevant limits.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The router writes potentially sensitive task content to a predictable local directory and returns a file:// reference, expanding the data exposure surface beyond in-memory routing. In an agent workflow context, task data may contain prompts, secrets, drafts, or user content, so persisting it unencrypted and without access controls can leak data to other local processes, logs, backups, or downstream agents that dereference the path.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The verifier persists violation data to a fixed local log file and later reads it back for statistics, which expands the component from pure validation into local data retention and audit behavior. Because it logs serialized input data, sensitive or proprietary user content may be written to disk without clear consent, creating privacy and data-handling risk in a workflow tool context.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The code hardcodes a local filesystem path for audit-style logging in a skill described as an agile workflow/data verifier, without strong functional justification. Fixed-path writes can leak data to an unintended location, break tenant isolation, and create silent persistence of user-submitted content on the host system.

Intent-Code Divergence

Low
Confidence
87% confidence
Finding
The method documentation says it only throws on failure, but the implementation also writes to disk and emits console output. This mismatch can cause callers to use the function in sensitive contexts without realizing it creates persistence and disclosure side effects, increasing accidental data exposure risk.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The failure handler launches an external `openclaw agent` subprocess using task-derived fields (`agent`, `description`) to trigger autonomous repair actions. In this skill's context, that creates a powerful execution boundary crossing from local workflow state into agent invocation, which is significantly riskier than simple task-state management and could be abused to trigger unintended agent actions or uncontrolled subprocess creation.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal