ClawHub

Iterative Code Evolution

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed developer workflow skill for iterative code improvement, with expected code edits, test execution, and local logging but no evidence of hidden or malicious behavior.

Install this for trusted development workspaces where you are comfortable with the agent editing files, running tests or code, and keeping an `.evolution/` history. Review generated changes before accepting them, and avoid using it on untrusted code or sensitive repositories unless your normal sandboxing and approval controls are active.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The skill description is broad enough to match many ordinary software-development requests such as improving code quality, debugging, or optimizing implementations. In agent environments where skills are auto-selected from natural-language descriptions, this can cause over-invocation, unexpectedly steering workflows into a persistent iterative loop that writes files, tracks variants, and changes project state beyond what the user intended.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The usage guidance includes common workflow phrases like 'debugging persistent issues' and 'building or improving prompts, pipelines, agents,' which are broad enough to capture a large class of normal tasks. This increases the chance that an agent will invoke the skill in contexts where its mutation/verification/archive behavior is unnecessary or risky, potentially causing excessive edits, file creation under `.evolution/`, or unintended iterative execution.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal