clawteam-skill

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed multi-agent orchestration guide, but it should be used carefully because it can spawn local agents and modify worktrees through an external CLI.

Install only if you intentionally want local multi-agent orchestration. Verify and pin the external `clawteam` CLI, start in a disposable repository, keep approval prompts enabled, avoid subprocess/custom backend modes unless you trust the environment, monitor spawned agents, and clean up `~/.clawteam/` state and worktrees when finished.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The trigger list includes very broad terms such as "team," "swarm," and "parallel agents," which are common in benign conversation and can cause the skill to activate unintentionally. Because this skill can create agent swarms, launch subprocess-backed workers, and operate on repositories/worktrees, accidental invocation increases the chance of unintended high-impact actions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal