ClawHub

Agent Causal

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed local experiment-analysis helper with optional PostHog access and local result history, and the sensitive parts are purpose-aligned rather than hidden.

Install only from the intended GitHub release, use a read-only PostHog token if enabling the connector, avoid storing sensitive experiment data with --save unless needed, and periodically remove ~/.agent-causal/history.db or ~/.posthogrc in shared environments.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The skill asserts that commands are 'fully hardcoded with no user-supplied strings interpolated into shell execution,' but the documented interfaces accept attacker-controlled values such as file paths, experiment IDs, names, and ports. If an integrating agent trusts this claim and builds shell commands unsafely around those inputs, the mismatch can enable command injection, argument injection, or unsafe file/port access patterns.

Session Persistence

Medium
Category
Rogue Agent
Content
**No runtime network access during analysis.** The decision engine, audit, and cohort analysis do not make outbound requests.
**Tools used:** `exec` (for running the `agent-causal` CLI commands you specify). Commands are fully hardcoded with no user-supplied strings interpolated into shell execution.
**PostHog token scope:** Use a read-only API token with minimal scopes. Do not use tokens with write or admin permissions.
**Credential handling:** PostHog API credentials are read from env vars (`POSTHOG_API_KEY`/`POSTHOG_PROJECT_ID`) or a local `~/.posthogrc` file — never hardcoded or logged.

---
Confidence
84% confidence
Finding
write or admin permissions. **Credential handling:** PostHog API credentials are read from env vars (`POSTHOG_API_KEY`/`POSTHOG_PROJECT_ID`) or a local `~/.posthogrc

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal