ClawHub
Back to skill

Security audit

agent-system

Security checks across malware telemetry and agentic risk

Overview

This skill is not malicious, but it acts as a very broad agent orchestrator and tells the assistant to proceed without clarification or confirmation, so users should review it carefully before installing.

Install only if you intentionally want a broad planning layer to influence task routing. Keep separate approval requirements for file changes, account actions, external posting, financial or business mutations, and other irreversible work, and avoid passing secrets or sensitive user content through its logs or learning-state paths.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (12)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The rules explicitly require the agent to continue with defaults or guesses when information is missing and to avoid asking clarifying questions or requesting confirmation. In an orchestration system that handles analysis, planning, and multi-step task execution, this can produce fabricated or unsafe outputs without clearly warning the user that key inputs were absent.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The README advertises very broad activation phrases such as '分析', '帮我', '处理', and '执行', which can match ordinary user requests unrelated to this skill's intended scope. In an agent-dispatch skill, overly broad triggers increase the chance of unintended invocation, causing the system to route generic requests into autonomous multi-step handling when the user did not explicitly ask for it.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The manifest example describes activation in ambiguous terms like '当用户描述需要"分析"、"规划"、"拆解任务"时激活', without defining exclusions, confidence thresholds, or consent requirements. Because this is the core orchestration skill, ambiguous activation can overreach and become a catch-all router for normal conversation, increasing the blast radius of any downstream agent behavior.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The activation description uses broad phrases like '分析', '规划', '拆解任务', and '多步骤处理', which are common in ordinary user requests. This creates a real risk of unintended skill activation, causing the orchestrator to intercept prompts outside its intended scope and potentially alter routing, output format, or downstream behavior.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The intent-recognition table maps very generic keywords such as '写', '生成', '代码', '选择', and '计划' to execution modes without contextual checks. Because these terms appear in many benign conversations, the skill may misclassify requests and invoke planning/execution pipelines unexpectedly, increasing the chance of overreach or incorrect autonomous behavior.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The activation criteria are extremely broad (e.g., analysis, planning, multi-step processing), so this skill can trigger on many ordinary user requests and override more specific or safer skills. In an agent orchestration context, broad activation increases the chance of unintended routing, policy bypass through wrong tool selection, and execution of unnecessary autonomous workflows.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The intent-recognition keywords are too generic (e.g., write, compare, choose, code), which makes accidental activation highly likely across routine prompts. Because this is a core scheduler, misclassification can cascade into planning, execution, review, and self-heal behaviors that the user did not request, increasing the attack surface and risk of unsafe autonomous actions.

Ssd 3

Medium
Confidence
90% confidence
Finding
The orchestrator requires continuous recording of metrics for evolution, and elsewhere the rules direct persistence of failure patterns and session metrics to local files. Without limits on what may be logged, this creates a credible risk that prompts, outputs, errors, and sensitive user-provided content are retained unnecessarily and exposed through logs.

Ssd 3

Medium
Confidence
97% confidence
Finding
These rules mandate logging every session to local files and standardize JSON event records, but they do not restrict inclusion of task content, inferred data, placeholders, or other user-supplied material. In a central agent system, broad local logging increases the chance of sensitive data retention, accidental disclosure, and secondary misuse through debugging or future analysis.

Ssd 3

Medium
Confidence
94% confidence
Finding
The module stores execution logs in a process-global array and records arbitrary details in plain language, creating a persistent in-memory retention channel for user and task data. In an agent system handling potentially sensitive prompts, this increases the chance of cross-request data exposure, later disclosure through APIs, or accidental inclusion in diagnostics.

Ssd 3

Medium
Confidence
97% confidence
Finding
planner() embeds the raw user input into the goal field and returns it downstream, which can propagate secrets, personal data, or confidential instructions into later stages, logs, and client-visible responses. In orchestration code, reflecting untrusted input into shared metadata expands the number of places sensitive content can leak.

Ssd 3

Medium
Confidence
98% confidence
Finding
The public accessors getLogs() and getLearningState() expose accumulated operational history and retained failure/success data to any caller that can import the module. Combined with global retention, this creates a straightforward disclosure path for prior users' prompts, task descriptions, errors, and learned state across sessions.

VirusTotal

53/53 vendors flagged this skill as clean.

View on VirusTotal