ClawHub

Self-Improving Proactive Decision Making Agent

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed local decision-memory assistant, with privacy and persistence caveats but no evidence of hidden, destructive, credential-seeking, or exfiltrating behavior.

Install only if you want a persistent local decision-memory system. Review ~/decision-making/ periodically, avoid storing secrets or highly sensitive personal, medical, financial, or confidential business details, and add the SOUL.md or HEARTBEAT.md snippets only if you want proactive cross-session behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The setup expands a scoped decision-support skill into persistent agent-wide steering by instructing edits to SOUL.md, AGENTS.md, and HEARTBEAT.md. This creates durable behavior changes outside the skill's immediate purpose, increasing the chance of overreach, unexpected autonomy, and hidden persistence across future interactions.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The HEARTBEAT integration adds ongoing background review behavior for a decision-support skill, which is not necessary for basic interactive decision assistance. Persistent heartbeat hooks can cause the agent to monitor, trigger, or act on future state changes in ways the user may not expect, expanding both autonomy and attack surface.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill advertises very broad trigger phrases like general tradeoff, risk/reward, and 'what should I do about X', which can match ordinary conversation and cause the skill to activate when the user did not clearly request decision-support behavior. Because this skill persistently stores decision preferences and history, over-triggering increases the chance of collecting and retaining personal behavioral data without sufficiently explicit user intent.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The proactive detection rules are ambiguous and expansive, such as activating when multiple options are discussed or when a goal conflicts with a constraint. In context, this is riskier because the skill is designed to infer preferences over time and write to local storage, so a broad proactive trigger can lead to unsolicited profiling or logging from routine conversations rather than explicit user requests.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The top-level description emphasizes self-improving behavior but does not prominently warn that the skill stores decision preferences, risk profile, and decision history locally over time. Users may invoke the skill for ordinary advice without realizing that persistent profiling and retrospective records will be created, undermining informed consent and increasing privacy risk.

Missing User Warnings

Low
Confidence
95% confidence
Finding
The template explicitly states that it will create and replace a file under `~/decision-making/`, which is a write operation in the user's home directory. Even though this is only documentation, failing to clearly warn and obtain consent for file creation/replacement can lead to unintended modification or overwriting of user data, especially in a skill that maintains persistent memory over time.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The file instructs users to store retrospective decision records under a home-directory path, and the content template explicitly captures potentially sensitive business, technical, and personal decision data. While this is primarily a documentation/privacy weakness rather than an exploit primitive, it can lead to inadvertent local persistence of sensitive information without guidance on minimization, access controls, or redaction.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrase "Help me decide X" is generic enough to match ordinary conversation and may invoke the skill unexpectedly. In a skill that reads and writes persistent decision memory, unintended invocation can expose personal preference data or cause unwanted memory operations based on casual chat.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The phrase "What do you know about X?" is especially broad and overlaps with normal assistant conversation, making accidental routing likely. Because this command searches all memory tiers and returns matches with sources, an unintended trigger could reveal stored personal history, preferences, or past decisions without sufficiently clear user intent.

Missing User Warnings

High
Confidence
97% confidence
Finding
"Forget everything" performs a full wipe of ~/decision-making/ but the command description does not require a clear warning, confirmation, or recovery safeguards. This creates a high risk of irreversible data loss from accidental invocation, ambiguous phrasing, or prompt injection that induces the agent to interpret text as a deletion request.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill automatically logs signals, timestamps, confidence values, and updates multiple memory files without any visible consent, retention, or privacy notice. In a self-improving agent that accumulates decision style, risk profile, and outcomes over time, silent persistence can collect sensitive behavioral data and surprise users who thought they were having an ephemeral conversation.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The setup directs creation and modification of multiple persistent files under the user's home directory and global agent configuration without prominently warning that local state will be written and reused over time. This is risky because it can store sensitive decision preferences and alter future behavior without informed consent or clear visibility.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal