ClawHub
Back to skill

Security audit

Albion Evolver

Security checks across malware telemetry and agentic risk

Overview

This skill appears to let an agent autonomously change code and create commits without clear user approval or tight scope, so it needs review before installation.

Install only if you want an agent that can actively modify repositories and create commits. Use it in a disposable or well-backed-up workspace first, review diffs before accepting changes, and require explicit approval before writes, commits, rollbacks, network calls, or self-modifying runs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill is framed as a general-purpose autonomous self-improvement engine without clear trigger boundaries, exclusion conditions, or user-confirmation requirements. In a skill with shell, network, workspace read/write, and self-modifying behavior, broad activation criteria materially increase the chance of unintended execution against arbitrary repositories or contexts, leading to unauthorized code changes or dangerous autonomous actions.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explicitly instructs the agent to apply code changes and create git commits automatically, but it does not present a clear user-facing warning that workspace files and repository history will be modified. Given the declared shell/network permissions and autonomous rollback/commit workflow, this can cause silent file mutation, unintended commits, and difficult-to-audit changes in the user's environment.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.