ClawHub

DoubleAgent — Generator-Evaluator Dual Agent Pattern

Security checks across malware telemetry and agentic risk

Overview

This review/evaluation skill is mostly coherent, but it gives a helper broad local execution authority by default, so users should review it carefully before installing.

Install only if you want this skill to participate in code-review closeout workflows. Before running its helper, prefer the documented no-yolo mode or otherwise confirm you are comfortable with nested agent execution that bypasses approvals and has full local sandbox access.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill references local files and scripts (`references/...`, `scripts/...`) and describes operational patterns that imply file read/write behavior, but it does not declare permissions accordingly. This creates a transparency and governance gap: an agent or platform may invoke file-capable behavior without explicit user or runtime awareness, increasing the risk of unintended file access or modification during use.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The activation criteria are broad enough to match many ordinary AI engineering tasks, which can cause the skill to be invoked in contexts far beyond its intended scope. Because the skill promotes multi-agent execution, file interaction, and browser-based evaluation patterns, over-activation increases the chance of unnecessary privilege use, unintended automation, or risky workflow insertion into unrelated tasks.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal