ClawHub

Subagent Driven Development

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed coding-workflow helper that coordinates subagents and reviews, with no supported evidence of hidden persistence, exfiltration, or deceptive behavior.

Install this if you want an agent to coordinate implementation tasks, reviews, tests, and commits in a repository. Use it only on branches and codebases where you are comfortable allowing subagents to make code changes and commits, and keep the review gates enabled.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Vague Triggers

Low
Confidence
88% confidence
Finding
The manifest description says the skill should be used 'when executing implementation plans with independent tasks in the current session,' which gives positive conditions but no negative examples beyond the later body text. In a markdown/manifest context, this can leave some ambiguity about edge cases such as partially dependent tasks or mixed planning/execution situations.

Session Persistence

Medium
Category
Rogue Agent
Content
"Mark task complete in TodoWrite" [shape=box];
    }

    "Read plan, extract all tasks with full text, note context, create TodoWrite" [shape=box];
    "More tasks remain?" [shape=diamond];
    "Dispatch final code reviewer subagent for entire implementation" [shape=box];
    "Use superpowers:finishing-a-development-branch" [shape=box style=filled fillcolor=lightgreen];
Confidence
60% confidence
Finding
create TodoWrite" [shape=box]; "More tasks remain?" [shape=diamond]; "Dispatch final code reviewer subagent for entire implementation" [shape=box]; "Use superpowers:finishing-a-development

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal