ClawHub

Consensus Commons

Security checks across malware telemetry and agentic risk

Overview

This skill is not malware, but it can create and lock authoritative-looking governance decisions without enforcing the validation and review controls it advertises.

Install only if you intentionally want a Spacebase1 council demo or prototype. Use mock mode first, do not treat its LOCKED or PASS outputs as real governance assurance, and use scoped, revocable Spacebase credentials only for public, low-stakes topics until validation gates and approval controls are enforced.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill advertises offline/mock operation but also includes live Spacebase1 commands, credential variables, and Python/client examples indicating external network interaction, while the declared allowed-tools omit any explicit network-capable permission. This mismatch can mislead operators and policy enforcement layers about the skill’s true capability surface, increasing the chance of unintended outbound connections or review bypass.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The skill embeds validator content that asserts checks such as evidence review, logical consistency, trace integrity, and lock-state correctness without performing any actual verification in code. This creates a false assurance channel where downstream users or systems may trust a 'validated' or 'passed' outcome even when prior outputs were never examined, weakening any governance or approval workflow built on these reports.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The runner unconditionally appends a contrarian step, creates a validation post, posts a summary claiming consensus, and then attempts to lock the root intent regardless of whether any substantive checks succeeded or any challenge remained unresolved. In a decision-governance skill, this effectively bypasses the deliberation and hardening model the skill claims to provide, allowing untrusted or low-quality outcomes to be promoted to a locked state with an audit trail that appears legitimate.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The description says to use the skill whenever the user needs broad categories like structured decision-making, consensus building, governance decisions, or risk council behavior. Such expansive invocation guidance can cause the skill to be auto-selected for many ordinary requests, increasing exposure to tool use, file writes, or live integrations in contexts where the user did not specifically request this high-complexity multi-agent workflow.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The general routing keywords include extremely common terms such as 'should', 'decide', 'recommend', and 'evaluate', which appear in routine user queries. In a skill with Bash/Write/Edit capabilities and optional live integration, this vague matching materially raises the risk of over-invocation, causing unnecessary execution, data handling, or external interaction for benign everyday prompts.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code changes the root intent's lock state first to CHALLENGED and then to LOCKED through adapter.client.lock_intent without any user-facing confirmation, approval checkpoint, or indication that this skill mutates persistent state. In a system described as governance and decision-making infrastructure, silent state transitions can prematurely finalize decisions, interfere with human review, or be abused by callers to force workflow progression unexpectedly.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal