ClawHub
Back to skill

Security audit

Multi Model Consensus

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a legitimate multi-model review workflow, but it may share your task with several selected models and save reports locally.

Install this only if you want your decision materials reviewed by several selected models. Do not submit confidential, regulated, or proprietary content unless every selected provider is acceptable, and remember that final reports may be archived in OpenClaw memory or written to your Desktop.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill states that committee child agents must not use any tools, yet the manifest grants Read and Write and the workflow explicitly performs file I/O. This policy/implementation mismatch creates a confused-deputy risk: an agent following the manifest rather than the prose can read or write files unexpectedly, including user-visible artifacts and workspace data.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The activation phrases include generic requests like reviewing or making a decision on a plan, which can overlap with normal user conversation and unintentionally invoke the skill. In an agent framework, accidental activation can cause unplanned multi-model orchestration, extra data sharing with additional models, and unnecessary tool usage or cost.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The auto-activation trigger matches broad natural-language phrases like '多模型决策' or '多模型委员会' without exclusion rules or confirmation gates. That can cause the skill to activate unexpectedly in ordinary conversation, leading to unintended spawning of subagents, extra data sharing across models, and unnecessary tool use.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill permits writing final reports directly to the user's Desktop without a clear, explicit consent step at write time. Unprompted filesystem modification is dangerous because it can leak sensitive task contents into persistent locations, create clutter or overwrite expectations, and normalize unsafe write behavior.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README says the skill auto-activates on trigger phrases, but it does not clearly warn that user-provided task content may then be sent to multiple model sub-sessions. In this skill's context, the core operation is cross-model distribution, so failing to obtain explicit informed consent can lead to unintended disclosure of sensitive business, personal, or confidential data to additional models/providers.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The Chinese README explicitly states that the organizer distributes the user's decision materials to all selected models, yet it provides no prominent privacy warning or consent checkpoint. Because this skill is specifically designed to fan out potentially sensitive user content across multiple external model sessions, the context makes the omission more dangerous: confidential inputs could be replicated to several providers or endpoints without the user's informed approval.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal