ClawHub

Multi Agent

Security checks across malware telemetry and agentic risk

Overview

This looks like a legitimate multi-agent orchestration skill, but it gives agents under-scoped local command and file authority, including an unsafe shell fallback.

Install only in a trusted or disposable workspace until the executor is constrained. Review the external react-agent dependency, avoid running tasks containing untrusted text, and require sandboxing or explicit approval for file writes, web access, and command execution.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The Executor role contains shell-execution logic in a component whose purpose is generic multi-agent role orchestration, creating an unnecessary command-execution capability. Even though the current command is wrapped in an echo, it still passes attacker-controlled task content into a shell command string, which can enable shell injection via crafted input such as embedded quotes or command substitution.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README explicitly advertises web/data-fetching and code-execution capabilities ('Tavily Search, Web Fetch', 'Code Sandbox, Exec') but does not warn users about privacy exposure, network access, or system-impact risks. In an agent skill, this omission can lead operators to enable powerful capabilities without understanding that prompts or retrieved data may trigger outbound requests or code execution against sensitive environments.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly advertises dangerous capabilities such as `write_file` and `execute_command` but does not provide any warning, scoping, or safety constraints around their use. In a multi-agent orchestration context, this is more dangerous because a planner/executor workflow can amplify unsafe actions and make command execution or file modification appear routine, increasing the chance of destructive or unintended operations.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script launches an agent workflow that is explicitly instructed to list directory contents, read package.json, count files, and generate a report using a fully registered toolset, but it does so automatically without any user confirmation, scope restriction, or disclosure boundary. In an agent/tooling context, this is dangerous because file-system inspection and summarization can expose sensitive project metadata or contents unintentionally, especially if the available tools are broader than the task text suggests.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code silently falls back to shell execution without any user confirmation, policy gate, or safety interstitial. In an agent context, this is especially dangerous because untrusted task text may be routed into OS-level execution automatically, increasing the chance of unintended or attacker-influenced command execution.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal