ClawHub

claw-orchestra

Security checks across malware telemetry and agentic risk

Overview

This is a real multi-agent orchestration skill, but it gives agents broad automatic authority without enough user control or privacy scoping.

Install only if you intentionally want automatic multi-agent delegation. Review when it activates, what tools sub-agents may receive, where report files and cost/experience logs are written, and avoid using it on sensitive tasks unless you can disable broad tools, persistence, and automatic file sending.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill clearly instructs the agent to generate and send Markdown files, which implies file write capability, yet no permissions are declared. This creates a transparency and policy-enforcement gap: users and the platform may not realize the skill can create artifacts and read/write local data as part of orchestration.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
When no explicit tool list is provided, the prompt advertises powerful capabilities including write and exec and says they may be selected automatically. In an LLM-driven orchestrator, exposing these capabilities by default materially increases the chance that prompt injection, model error, or unsafe task decomposition will lead to filesystem modification or command execution beyond the user's intent.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger list includes broad, common terms such as '编排', '协调器', '指挥官', and 'orchestra/orchestrator', which can plausibly appear in ordinary user requests unrelated to this specific skill. In an agent platform, this raises the chance of unintended activation, causing the skill to intercept prompts, alter routing, and invoke multi-agent behavior or tool use when the user did not explicitly request this capability.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger list contains broad terms such as orchestrator, coordination, task decomposition, and common Chinese equivalents that could activate the skill for ordinary planning requests. Overbroad activation increases the chance the skill takes over benign conversations and initiates multi-agent behavior, file generation, or external actions the user did not specifically request.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill mandates generating an MD file and sending it to the user, while explicitly discouraging normal chat output, without any disclosure or opt-in. Forced file creation/transmission can exfiltrate sensitive task content into artifacts, surprise users, and bypass expected conversational review before data is packaged and sent.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The workflow operationalizes automatic report generation and file sending immediately after sub-agent completion, again without warning or approval. In a multi-agent context, this is more dangerous because synthesized outputs from several agents may contain sensitive prompts, gathered data, or incorrect conclusions that get packaged and transmitted automatically.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The adapter forwards assembled task text, including context entries and instructions, directly to an externally injected spawn function with no validation, trust boundary checks, redaction, or user-visible disclosure. In a multi-agent orchestrator, those task payloads may contain sensitive prompts, user data, or internal reasoning context, so sending them to an arbitrary injected function can cause unintended data exfiltration or disclosure to an external service.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The tracker persists task descriptions and session identifiers to a JSON file on disk without any consent flow, minimization, redaction, or access-control logic in this module. In a multi-agent orchestrator, task text can easily contain sensitive prompts, user data, internal project details, or identifiers, so writing it verbatim to a predictable path increases privacy and data exposure risk if the file is read by other processes, users, backups, or logs.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal