ClawHub

Workflow Runner

Security checks across malware telemetry and agentic risk

Overview

This skill is purpose-aligned workflow automation, but it needs review because it can run extracted code, keep subagent sessions, write files, and create local commits with limited guardrails.

Install only if you are comfortable with an automation skill that can run local code, write results, create local commits, and keep reusable subagent state. Use it in a clean or disposable repository, review diffs before accepting work, disable automatic commits where possible, and clear or avoid reusing bundled session state before first use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The script unpacks a user-supplied artifact and then directly executes `./code/scripts/hello.sh` from that extracted content. This allows arbitrary code execution in the context of the testing worker, and the surrounding comment understates the behavior as a simple output check, which can mislead reviewers and operators about the true risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly states it will create local git commits and write artifacts to results/ automatically, but it does not describe any explicit confirmation, scope limits, or safeguards before modifying the workspace. Even though the actions are local, they still change repository state and files, which can surprise users, interfere with ongoing work, or persist unintended changes generated by subagents.

Vague Triggers

Low
Confidence
83% confidence
Finding
The trigger guidance uses broad natural-language activation such as 'Run workflow: implement <short spec>', which can overlap with ordinary user requests for implementation help and cause the skill to activate unexpectedly. In this skill, accidental activation is more concerning because the workflow can spawn persistent subagents, run iterative loops, write artifacts, and make local commits.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The worker executes a script extracted from the supplied artifact without any trust verification, confirmation, or sandboxing. In this context, that means anyone controlling the artifact can run arbitrary shell commands on the runner, potentially leading to data exfiltration, tampering with test results, or compromise of the host/adjacent systems.

Missing User Warnings

Low
Confidence
90% confidence
Finding
Extracting an untrusted tar archive into the working directory is dangerous because archives can contain malicious paths, symlinks, or files intended to influence later execution. Here, the risk is amplified because extracted contents are subsequently executed, so archive extraction becomes part of an end-to-end code execution path.

VirusTotal

54/54 vendors flagged this skill as clean.

View on VirusTotal