ClawHub

Claw Orchestrator - CC+WBClaw多Agent协作

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This skill is a real multi-agent automation tool, but it automatically delegates file-writing work to another agent with bypassed permissions and unsafe shell invocation.

Install only if you intentionally want this skill to run a local external agent that can read and write project files. Use it in a disposable or well-versioned workspace, review the hard-coded paths before running, and avoid passing untrusted task text because the current command construction creates command-injection risk.

SkillSpector (7)

By NVIDIA

subprocess module call

Medium
Category
Dangerous Code Execution
Content
env = os.environ.copy()
    env["PATH"] = os.path.dirname(NODE) + ";" + env.get("PATH", "")
    
    r = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=180, cwd=WORKDIR, 
                       env=env, encoding="utf-8", errors="replace")
    t1 = time.time()
Confidence
97% confidence
Finding
r = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=180, cwd=WORKDIR, env=env, encoding="utf-8", errors="replace")

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The workflow explicitly instructs use of `--permission-mode bypassPermissions`, which disables an important safety control around file access. In an orchestration skill that forwards user tasks to another agent, this sharply increases the chance of unauthorized or over-broad file writes if the prompt is ambiguous, malicious, or manipulated.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Recommending direct PowerShell-based subprocess invocation broadens the execution surface from simple orchestration to arbitrary local command execution. That makes prompt-to-command abuse, unsafe environment inheritance, and accidental execution in sensitive directories more likely, especially when combined with file-writing behavior.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The code explicitly instructs the CC agent to write complete deliverable files immediately and grants it the Write tool, which exceeds the stated analysis-first orchestration role. This is dangerous because the trusted orchestrator directly delegates filesystem mutation to an LLM without a review gate, making prompt injection or unsafe tasking result in unintended file creation or overwrite.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The trigger phrases are broad and generic, such as asking to 'use collaboration mode' or having CC generate something and preview it. Broad triggers raise the likelihood of accidental invocation for requests where users did not intend multi-agent execution, file generation, or subprocess activity.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill describes writing files, generating reports, previewing outputs, and bypassing permissions, yet does not present a user-facing warning about these system-impacting actions. This undermines informed consent and can lead to unexpected local file modification or execution behavior under the guise of routine orchestration.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill launches an external agent with --permission-mode bypassPermissions and write access without any explicit warning, consent step, or high-risk confirmation. In this context, that means a user task can trigger unrestricted automated file writes in the project directory with little visibility, increasing the chance of destructive or malicious outcomes.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal