ClawHub

Self Improvement

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it needs review because it persistently saves user feedback and its documentation suggests prompt self-updates and Telegram sharing without adequate controls.

Install only if you are comfortable with user feedback being saved locally in a fixed OpenClaw workspace path. Avoid putting secrets or personal data in feedback, review or edit the storage path, and do not enable Telegram forwarding or prompt auto-updating unless you add explicit approval, redaction, audit, and rollback controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill description is extremely broad ('any agent', 'any user feedback'), which can cause over-triggering and make the skill process unrelated conversations. In this context, that broad scope increases the chance of collecting and acting on sensitive or adversarial feedback outside the intended task boundary.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly stores user feedback persistently but does not warn users that their responses may be retained and reused. That creates a privacy and data-governance risk, especially because feedback may contain personal, confidential, or security-relevant content not intended for long-term storage.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The cron example forwards generated improvements to Telegram without any warning that the content may be derived from stored user feedback. This creates a realistic risk of exfiltrating user-provided data to a third-party channel, especially if summaries include raw hints or sensitive context.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The example says the agent 'auto-updates prompt' based on captured user feedback without warning about autonomous modification of system behavior. This is dangerous because untrusted user input can become persistent instructions, enabling prompt injection, policy drift, or degradation of future agent behavior.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script persists raw user feedback text to a long-lived file under the agent workspace, but it provides no meaningful notice, consent flow, retention limit, or redaction of potentially sensitive content. Because user feedback can easily contain secrets, personal data, or confidential instructions, this creates a privacy and data-handling risk if the workspace is later read by other skills, users, backups, or logs.

Ssd 3

Medium
Confidence
97% confidence
Finding
The skill is designed to persist and reuse user feedback across time, which can cause user-provided content to surface in later summaries, analyses, or suggestions. Because the source text is untrusted and potentially sensitive, this creates a data leakage channel and a persistence mechanism for adversarial content.

Ssd 3

Medium
Confidence
98% confidence
Finding
The documented JSON schema retains raw 'hint' text in persistent storage, which makes later disclosure straightforward through stats, summaries, or debugging. If users include secrets, personal data, or malicious instructions in feedback, those can be preserved and propagated beyond the original interaction.

Ssd 3

Medium
Confidence
96% confidence
Finding
The scheduled workflow sends improvement content derived from stored feedback to another channel, increasing the chance that user-originated text leaves its original trust boundary. Even if summarized, this can leak sensitive details or preserve adversarial instructions in outbound communications.

Ssd 3

Medium
Confidence
99% confidence
Finding
Auto-updating the agent prompt from captured user responses turns untrusted input into persistent behavioral state. This materially raises the danger because prompt injection or harmful directives can survive across sessions and influence future actions, effectively becoming a self-poisoning mechanism.

VirusTotal

No VirusTotal findings

View on VirusTotal