ClawHub

Agent Os

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a local collaboration helper, but one script reads agent memory outside the documented project folder despite claims that it will not.

Install only if you are comfortable with local project coordination files being created under .agent-os and with mission control potentially scanning .workbuddy memory logs for aggregate leverage metrics. Review or patch mission_control.py first if you expected the skill to stay strictly inside .agent-os or avoid home-directory paths.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The script reads leverage data from .workbuddy/memory paths outside the declared .agent-os workspace, including the current directory and a hard-coded home-directory location. That expands the tool's trust boundary and can unintentionally ingest unrelated or sensitive user data into the generated report, creating a data exposure and scope-creep issue even without explicit user consent.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger list contains very broad phrases such as 'agent os', 'multi-agent collaboration', and 'agent handoff', including multilingual variants, which can cause the skill to activate in many ordinary coordination contexts where the user did not intend to invoke this capability. Because the skill has access to Read/Write/Edit/Bash/Glob/Grep, overbroad activation increases the chance of unintended filesystem changes, execution of helper scripts, or interference with other workflows.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The scenario-based activation rule ('working with multiple agents on the same workspace and need shared state, audit trails, or human decision compression') is subjective and broad, making accidental activation likely during normal project collaboration. In this skill's context, that ambiguity is more dangerous because the documented onboarding and command flows encourage reading workspace state and writing under .agent-os, so an unintended match can lead to unnecessary data collection, file creation, or workflow hijacking.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal