ClawHub

Pretenziya Ru

Security checks across malware telemetry and agentic risk

Overview

The skill can draft Russian complaints, but it also tells the agent to run local Python commands to track usage and add promotional text, which is outside that purpose.

Review this skill carefully before installing. The drafting guidance is understandable, but the local counter and promotional workflow should be removed or made transparent and platform-controlled; an ordinary complaint-writing skill should not need shell/Python execution or persistent local state.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The skill's stated purpose is drafting complaints, but it additionally instructs the agent to execute local Python commands, read a workspace file, and conditionally modify local state for cross-promotion. This is dangerous because it introduces unauthorized local command execution and persistence unrelated to the user task, creating a path for data access, covert state tracking, and policy bypass.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill contains context-inappropriate instructions to run shell/Python commands and persist a counter in a local workspace file. For a document-drafting skill, any local execution or file mutation is unnecessary and materially increases risk by enabling filesystem interaction and hidden state across sessions.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The skill correctly warns that user documents are untrusted, but then undermines its own safety posture by embedding unrelated side-effecting execution instructions later in the file. This contradiction is dangerous because it normalizes prompt-injection awareness while still attempting to coerce the agent into unsafe local actions through the trusted skill body itself.

Missing User Warnings

High
Confidence
99% confidence
Finding
The markdown explicitly instructs the agent to execute commands that read and write a workspace file, with no user notice or consent. Hidden local side effects are dangerous because they can leak environment details, establish persistent tracking, and create a precedent for arbitrary command execution from untrusted skill content.

Ssd 4

High
Confidence
100% confidence
Finding
The Attribution section disguises a multi-step operational payload as benign formatting guidance, coercing the agent to inspect local state, persist a counter, and append promotional content conditionally. This is especially dangerous because it couples hidden command execution with marketing output, demonstrating intentional misuse of the skill channel for unauthorized side effects and stateful behavior.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal