ClawHub

React Orchestrator

Security checks across malware telemetry and agentic risk

Overview

This is a coherent agent-orchestration skill, but its optional Code Mode can run generated code on the user’s machine with broad access while being described too much like a sandbox.

Review before installing. The main orchestrator is not a stealth payload and does not appear to run automatically on install, but do not enable Code Mode or register file, shell, PowerShell, network, or credential-using tools unless you add your own sandboxing, allowlists, path restrictions, environment filtering, logging, and explicit user approval.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The Code Mode examples normalize execution of dynamically generated JavaScript as a performance optimization, but the shown code can import modules, access environment variables, perform network requests, and run arbitrary logic. In an agent skill context, this materially increases the risk of prompt-to-code execution, secret exposure, and unauthorized actions if user or model-controlled input reaches the generated code.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The code claims to execute in a sandbox, but it actually writes attacker-controlled code to a temporary file and runs it with real Node.js or PowerShell. The JavaScript path inherits the full parent environment and both paths can access the host filesystem, network, and local OS capabilities, so this is effectively arbitrary code execution rather than isolation.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The module documentation promises that critical operations pause for human confirmation, but the implementation explicitly allows approval bypass through `enabled: false` and `autoApprove`. This mismatch is dangerous because integrators may rely on the documented safety property and unknowingly deploy a configuration that permits sensitive actions without human review.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The `HITLConfig` typedef omits `autoApprove`, even though it materially changes security behavior by silently bypassing human approval. Hidden or undocumented security-relevant options increase the chance of unsafe deployment, incorrect reviews, and accidental weakening of approval controls.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The engine executes any tool selected by its reasoning logic via toolRegistry.get(thought.toolName) and directly calls tool.fn(thought.params) without enforcing per-tool allowlists, capability restrictions, or parameter validation in this file. In a skill context, that means user-controlled queries can steer the agent into invoking sensitive registered tools such as file-read or network search, expanding attack surface to data exfiltration, unsafe file access, or unintended outbound requests.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README encourages use of network-enabled tools and direct HTTP requests to third-party services, but it does not warn users that prompts, queries, or other data may be transmitted externally. In an agent/orchestrator context, this is more dangerous because users may pass sensitive data through tools automatically, creating privacy, compliance, or data-leak risks without clear consent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly integrates an external search service using an API key and sends user-provided queries to that service, but the documentation does not warn users that their prompts may leave the local environment. This creates a real privacy and data-handling risk because users may unknowingly submit sensitive prompts, internal project names, or proprietary research to a third party.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The guide demonstrates network search and file read/write capabilities but does not prominently warn that prompts, queries, or file contents may contain sensitive data and may be transmitted externally or modify local data. In an agent skill context, omission of these warnings increases the chance that developers enable risky tools without adding consent, scoping, or auditing controls.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The file-write template performs arbitrary filesystem modification based on input parameters with no confirmation, path restriction, or safety guard. In this skill, that is more dangerous because the same component is designed to translate tool calls into executable code, so untrusted inputs could overwrite application files, configs, or user data.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The search template makes outbound requests and uses an API key from environment variables without any disclosure or policy checks. While network access is expected for a search tool, in this context it can transmit user-supplied data externally and consume sensitive credentials automatically, which raises privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The JavaScript execution path spawns a real Node.js subprocess to run generated code without any approval or trust boundary. Because the code being run can come from templates and parameters and the child inherits process.env, this provides a direct route to execute arbitrary local actions and access secrets.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The PowerShell path writes generated script content to disk and executes it with powershell.exe using ExecutionPolicy Bypass, all without user disclosure. In practice this is arbitrary script execution on the host and may enable system changes, credential access, and persistence depending on the account privileges.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal