ClawHub

Skill Alchemy Main

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly coherent for generating agent skills, but it needs review because it can fetch untrusted remote skill files and guide changes to installed agent behavior.

Review the skill before installing, especially the LEAP and Lens subskills. Use it only in a workspace where network search and generated output files are acceptable. Before copying any generated skill into ~/.claude/skills, inspect the generated SKILL.md and references, confirm the source URLs used for exemplars, and avoid 'all default' mode for sensitive or proprietary targets.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (42)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill instructs file reads/writes, local installation, and network-backed retrieval through its subskills, but it does not declare permissions or clearly disclose those capabilities to the user. This creates a consent and transparency gap: users may trigger filesystem modification, remote fetching, and artifact generation without understanding the security boundary.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The declared description presents the skill as a simple orchestrator, but the documented behavior expands into broad remote retrieval, corpus building, scoring, validation, and media transcript acquisition through delegated execution. This mismatch is dangerous because users and policy systems may grant trust based on the narrow description while the actual workflow performs materially riskier network and data-processing operations.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The README encourages installation through broad natural-language prompts such as asking the agent to install a named skill from the repository. This can cause unintended skill activation or installation if a user copies vague instructions, especially in environments where the agent has tool access and may resolve ambiguous names or paths automatically.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README instructs users to run a command and natural-language prompt that will fetch and install a remote skill into their agent environment, but it does not clearly warn that this changes local agent behavior and imports unreviewed third-party content. In the context of agent skills, installation can alter prompts, tools, and execution behavior, so omission of a security warning increases the chance that users will perform a blind install from GitHub.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The natural-language install instructions encourage users to ask an agent to install a named skill from the repository without disclosing that this will modify the local agent's installed skills and operational environment. This is risky because users may delegate installation to an agent without reviewing the target skill, making social-engineering or supply-chain abuse easier if the repository or a sub-skill is unsafe.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill directs deletion of generated files and installation-style copy operations into the user's skill directory without prominent safety warnings or confirmation requirements. Even if paths are intended to be controlled, deletion and install instructions can cause accidental data loss, overwrite existing skills, or normalize unsafe filesystem actions.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill describes online search and retrieval as part of exemplar discovery and fusion without clearly informing the user that prompts, targets, or derived metadata may be sent over the network. This creates privacy and data-handling risk, especially when users submit proprietary ideas or sensitive source material for distillation.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs automatic deletion of generated files and directories after compilation, including reference artifacts, without any explicit confirmation or user-facing warning. In an agentic pipeline, silent cleanup can destroy audit trails, intermediate evidence, or user-expected outputs, making mistakes harder to detect and recover from.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill performs live search, downloads remote SKILL.md files from public sources, and runs local scoring logic on them without clearly warning about network access or external content ingestion. This can expose prompts, metadata, or sensitive search terms to third parties and increases the risk of importing adversarial or untrusted remote content into the pipeline.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The fusion branch also performs online skill discovery and remote fetching, again without an explicit warning or consent flow. Because this branch is intended to compose other skills into new outputs, unannounced network access and ingestion of external skill content can propagate untrusted instructions and leak user intent or local workflow details.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The natural-language trigger examples are very broad and overlap with ordinary conversation such as asking for analysis or help generating a skill. In an agent environment, this can cause unintended activation, routing user input into this skill when the user did not explicitly intend it, which may lead to incorrect behavior, prompt-context leakage across skills, or accidental execution of downstream orchestration.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The activation scope is described generally as something that can be used directly or by an orchestrator, but it does not clearly state when the skill should or should not be selected. Ambiguous scope increases the chance of misrouting and accidental invocation, especially because the skill claims to silently process tasks without interaction, reducing opportunities for user correction before downstream effects occur.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger phrases are very broad and overlap with ordinary user requests such as asking for analysis or help generating something. This can cause the skill to activate in situations beyond its intended scope, increasing the chance of unintended routing, context capture, or interference with other skills and user workflows.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger phrases are very broad (e.g. '帮我想想', '分析一下', '生成 skill', '蒸馏', '融合'), so this skill may activate for many ordinary requests that were not intended for this workflow. That can cause routing hijacks, unexpected behavior, and bypass of more appropriate or safer skills, especially because Lens transforms user intent without asking clarifying questions.

Natural-Language Policy Violations

Medium
Confidence
90% confidence
Finding
The skill metadata and behavior are written to operate in Chinese without any indication that language should follow user preference. This can override user language expectations, reduce usability, and create misunderstanding in downstream orchestration when the user did not opt into Chinese output.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger phrases are broad enough to overlap with normal discussion about checking images, statistics, or paper integrity, which can cause the skill to auto-activate when a user did not explicitly request this workflow. Unintended activation is a real safety and UX risk because this skill handles sensitive allegations and may steer conversations into forensic or accusatory territory without clear consent.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger "any step about to be reasoned" is overly broad and can activate the routing logic in contexts where no clear execution boundary or safety check exists. In a code-execution decision skill, ambiguous activation increases the chance that routine reasoning gets escalated into code generation/execution paths unnecessarily, which can expand attack surface, waste resources, or mishandle untrusted inputs.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Several later triggers are similarly underspecified, causing inconsistent or overly permissive activation of decomposition, sandbox selection, and retry behaviors. In this skill context, loose trigger definitions are more dangerous because they directly influence whether code is emitted, what runtime is chosen, and whether failed executions are retried, all of which can compound unsafe behavior if applied too broadly.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The repeated-correction trigger does not clearly define whether corrections are counted per turn, per session, across sessions, or after successful remediation. That ambiguity can make the agent infer persistence actions too early, causing it to encode transient preferences as durable project rules and potentially poison long-lived agent memory or repo guidance files.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The repeated-correction trigger does not clearly define whether corrections are counted per turn, per session, across sessions, or after successful remediation. That ambiguity can make the agent infer persistence actions too early, causing it to encode transient preferences as durable project rules and potentially poison long-lived agent memory or repo guidance files.

Vague Triggers

Medium
Confidence
82% confidence
Finding
OP-5 uses broad criteria like 'same mistake twice' and 'should have known' without clear exclusions, making rule addition easy to trigger from subjective or noisy signals. Because this skill is specifically about creating persistent conventions artifacts for coding agents, over-triggering can accumulate low-quality or contradictory rules that degrade future outputs and create instruction bloat across tools.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger for OP-1 is broad enough that the skill could activate across many multi-call language-model workflows without clear boundaries, causing over-application of the tiering pattern. In an agent setting, ambiguous activation can misroute tasks, apply cost-driven downgrades where stronger judgment is needed, and increase the chance of quality or safety regressions in downstream outputs.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The architect+editor trigger covers almost any 'reason-then-land' workflow, making it likely to match generic reasoning tasks rather than the narrower cases where a strong planner and cheap formatter are actually safe. This can push users or orchestrators to separate planning from execution even when the execution step itself requires substantive judgment, creating hidden quality and correctness failures.

Vague Triggers

Medium
Confidence
89% confidence
Finding
Across the manifest, several triggers describe common optimization or orchestration situations in highly general terms, so the skill may be selected in contexts far beyond its validated scope. In SkillAlchemy, which is designed to generate installable skills from broad user goals, this lack of scoping is more dangerous because generic triggers can propagate into reusable artifacts that institutionalize unsafe or low-quality activation behavior.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The trigger condition is overly broad: matching any user request involving 'team/collaboration/roles' can cause this CrewAI-specific skill to activate for many ordinary planning or coordination queries that do not actually require this framework. In a skill-routing system, such overmatching can misroute user requests, suppress more appropriate skills, and steer users into unnecessary multi-agent generation paths with increased complexity and tool exposure.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal