ClawHub

Cognitive Flexibility Release

Security checks across malware telemetry and agentic risk

Overview

This reasoning skill appears non-malicious, but it automatically saves raw task and context data locally and requests broader tools than its code needs.

Review before installing, especially for confidential work. Disable monitoring where possible, avoid using it with secrets or sensitive customer/business data unless logs are controlled, periodically delete or protect the logs and feedback files, and consider removing unused permissions such as sessions_send, web_search, and Edit.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Tp4

High
Category
MCP Tool Poisoning
Confidence
90% confidence
Finding
The skill description materially understates behavior related to monitoring, logging, reporting, and filesystem persistence, which can cause users or orchestrators to approve the skill without understanding that task data may be retained or exported. The claimed support for OOCA/OOHA despite placeholder behavior also creates trust and control issues, because operators may rely on capabilities and execution paths that do not actually exist.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The guide documents built-in usage tracking, logging, reporting, and export features that are ancillary to the stated cognitive-flexibility purpose and imply collection of task/context data. In an AI skill, task and context can contain sensitive user prompts or proprietary information, so undocumented telemetry and export paths expand the data exposure surface beyond what users would reasonably expect.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The documented export of detailed usage logs is risky because complete logs can aggregate timestamps, modes, tasks, and possibly context into a portable file that is easier to exfiltrate, copy, or mishandle. Since exporting logs is not clearly necessary for cognitive reasoning functionality, it increases the chance of sensitive data disclosure without a strong functional justification.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The code claims to assess accuracy against context, but `_is_consistent_with_context` unconditionally returns `True`, so context-based validation is effectively disabled. In a metacognitive or quality-gating component, this can systematically overrate inaccurate outputs and allow downstream components or users to trust responses that were never actually checked.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The code persistently writes full task descriptions and arbitrary context objects to local log files, which can capture sensitive prompts, user data, secrets, or proprietary workflow details unrelated to the core cognitive-flexibility function. Because the context schema is unrestricted and there is no minimization, redaction, consent, or retention control, this creates a real privacy and data-exposure risk if logs are accessed, exported, or mishandled.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The guide instructs users to create and use a CLI token, including setting it directly in an environment variable, but does not warn about protecting the token from shell history, screenshots, logs, shared terminals, or committing it into files. In a publishing workflow, this omission can lead to accidental credential exposure and unauthorized publishing or account actions if the token is stolen.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The monitoring overview describes tracking and logging but does not warn that task/context data may be persisted and later analyzed or exported. This lack of transparency can cause users or operators to expose sensitive prompt contents unknowingly, creating a privacy and compliance risk even if the feature was intended for benign observability.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The export instructions show how to write complete logs to a JSON file without warning that this moves potentially sensitive data into a portable artifact outside the normal runtime boundary. Portable exports materially increase risk of accidental sharing, insecure backups, or downstream processing in less protected environments.

Vague Triggers

Medium
Confidence
76% confidence
Finding
The activation guidance is broad and subjective, which can cause the skill to be invoked for many normal tasks where its extra tool access, logging, and mode-switching behavior are unnecessary. Over-broad auto-selection increases attack surface by normalizing use of a more capable skill in contexts that may involve sensitive user data.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill advertises usage monitoring and report generation without warning that task content, metadata, or history may be logged and persisted. In a reasoning skill likely to be used on sensitive business or personal inputs, undisclosed monitoring creates meaningful privacy and data governance risk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document describes automatic collection of usage metrics and log export capabilities, but it does not disclose what data is collected, whether logs may contain prompts or identifiers, how long data is retained, or how users can opt out. In an AI skill context, usage logs can easily include sensitive behavioral or content data, so undocumented telemetry creates a real privacy and compliance risk even if the file itself is only documentation.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code persists raw feedback records directly to a local JSONL log without any visible consent, notice, redaction, retention control, or access restriction. Because feedback descriptions may contain sensitive personal or operational information, silent storage increases the risk of privacy leakage, unintended retention, and later disclosure through local compromise or mishandling.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The export function copies collected feedback into a separate JSON file without any disclosure, approval workflow, or protection of the exported artifact. This expands the number of sensitive-data copies and increases the chance of accidental sharing, exfiltration, or insecure downstream handling, especially in a skill context where feedback is ancillary and users may not expect durable export.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The logger stores raw task content and arbitrary context to disk without any user-facing warning, consent flow, or indication that local persistent storage is occurring. In a skill that may process complex reasoning tasks, those fields can easily contain sensitive personal, business, or security-relevant information, making silent persistence a meaningful privacy and confidentiality issue.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal