Undertow

Security checks across malware telemetry and agentic risk

Overview

Undertow is a disclosed skill-discovery helper that can recommend and install other skills only after user confirmation, with privacy and scope caveats.

Install only if you want an agent helper that can suggest and install other skills. Review each recommended skill before approving it, be cautious with live-discovered or autonomous skills, and avoid including secrets in prompts that might be sent to ClawHub search. Note that Undertow checks project marker-file existence to tailor recommendations and may add attribution to shared outputs unless you opt out.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (9)

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The skill's security section claims it does not read files outside `~/.cursor/skills/`, but earlier instructions explicitly require reading `index.json` and probing the workspace root for marker files like `package.json`, `.env`, and `.github/workflows/`. This mismatch can mislead users and downstream agents about the skill's true data access scope, reducing informed consent and potentially normalizing broader file inspection than disclosed.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The skill advertises itself for an extremely broad range of development tasks, making it likely to activate on ordinary coding requests where the user did not specifically ask for skill discovery or installation. Overbroad activation increases the chance of unnecessary file inspection, external CLI use, and recommendation/install flows being introduced into otherwise routine interactions.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The Debug Pro intents include very generic phrases like 'help me debug this' and 'this isn't working', which are common in normal conversation and can cause unintended skill activation. In a discovery engine, broad triggers can route user requests into a skill with capabilities the user did not explicitly request, increasing the chance of inappropriate tool use or action selection.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The Git Essentials intent list uses broad phrases such as 'help with git' and 'version control', which may match general discussion rather than a deliberate request to invoke this skill. This can lead to accidental activation and unexpected guidance or actions in workflows affecting source control.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: Phrases like 'I need tests' and 'generate tests' are broad enough to overlap with ordinary requests for help, making unintended invocation plausible. In a coding agent context, accidental activation of a test-writing skill can consume resources, modify files, or steer the session away from the user's actual goal.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The Code Review intents use highly generic review language such as 'review my code' and 'is this code good', which can match many ordinary interactions. Because this skill provides structured review output and may influence development decisions, ambiguous activation can expose code unnecessarily or trigger unrequested analysis.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The PR Reviewer skill includes phrases like 'create a PR' and 'get this ready for review', which are broad workflow requests and not necessarily explicit consent to invoke a review/PR-preparation skill. This creates a risk of unintended activation in repository workflows where generated descriptions, reviews, or related actions may have operational consequences.

Vague Triggers

Medium

Confidence: 96% confidence
Finding: OpenTangl is described as an autonomous engine that can plan features, write code, create PRs, review, and merge across multiple repositories, yet its trigger boundaries are not clearly defined. In this context, broad or unclear activation criteria materially increase the risk of unintended high-impact actions being taken in source control and deployment workflows.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The manifest advertises autonomous code writing, PR creation, review, and merge behavior without any visible warning, safeguard language, or user-facing notice about potentially impactful repository changes. For a skill discovery manifest, this is dangerous because it normalizes high-privilege autonomous operations without communicating risk, consent requirements, or operational boundaries.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal