ClawHub

gungun-12-clo - 首席学习官

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent self-learning tool, but it persistently records conversation and error context and can modify long-lived agent knowledge files without enough privacy or write-scope safeguards.

Install only if you intentionally want a local persistent learning system for the agent. Do not use it with private, regulated, customer, credential, or production incident data unless you add explicit opt-in, redaction, retention/deletion controls, and manual review before promoting anything into AGENTS.md, SOUL.md, TOOLS.md, or MEMORY.md. Restrict or remove the generic promote command before using it in an automated agent workflow.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (16)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The status update routine claims to update a specific learning record by learning_id, but it performs a global string replacement on the first '**Status**: pending' entry in the file. This can silently corrupt audit/history data by marking the wrong record as promoted, undermining integrity and traceability of the learning system.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly promotes automatic recording of learning events, errors, and dialogue-derived insights, but provides no notice, consent flow, retention limits, or guidance for handling sensitive content. In practice this can cause agents to persist personal, confidential, or regulated data from ordinary conversations into local files or memory stores without user awareness.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The promotion rules direct learned content into persistent knowledge files such as SOUL.md, AGENTS.md, TOOLS.md, and MEMORY.md without warning that transient conversation content may be copied into broader long-term memory. This increases the chance that sensitive or context-specific data becomes durable, widely reused, and harder to audit or delete.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly describes ongoing conversation monitoring and logging of user corrections, errors, and new knowledge, but provides no privacy notice, consent model, retention rule, or data minimization guidance. In an agent setting, that creates a real risk of collecting and persisting user content unexpectedly, including sensitive information shared during normal interaction.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The promotion workflow automatically writes learned content into multiple knowledge-base files such as SOUL.md, AGENTS.md, and TOOLS.md without warning that persistent project documentation will be modified. This can lead to unauthorized or surprising changes, especially if the promoted content is derived from unreviewed conversations or errors.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The generic promote command accepts an arbitrary filename and writes directly to self.workspace / filename with no allowlist or path validation. An attacker or untrusted caller can supply values like '../sensitive_file' or overwrite unexpected workspace files, which is especially risky because these markdown files may influence downstream agent behavior or corrupt local state.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The recorder writes user-provided summaries, details, error output, and context into persistent markdown files under a fixed workspace path without any notice, consent flow, minimization, or redaction. In an agent skill context, these fields can contain sensitive conversation data, credentials, tokens, internal paths, or proprietary content, creating a privacy and secret-retention channel that may later be exposed to users, logs, backups, or other tools.

Ssd 3

Medium
Confidence
94% confidence
Finding
The documented record format encourages storing '完整上下文' and preserving source material from conversations and errors, which naturally leads to broad retention of raw user communications. Without boundaries, this can capture sensitive prompts, personal data, business information, or secrets embedded in error traces and command output.

Ssd 3

Medium
Confidence
96% confidence
Finding
The integration example tells agents to store full details after conversations and to record raw error output and context, which is a common path for leaking user-supplied sensitive data into logs. Because this is presented as a ready-to-use pattern for agent developers, it materially increases the likelihood of unsafe implementation.

Ssd 3

Medium
Confidence
95% confidence
Finding
The customer-service scenario recommends recording service conversations to improve answers, but gives no privacy boundaries, consent requirement, or data minimization rules. In a support context, conversations frequently contain account details, contact information, tickets, billing data, and other sensitive records, making unrestricted retention significantly more dangerous.

Ssd 3

Medium
Confidence
95% confidence
Finding
The role definition instructs the agent to record learnings from every conversation and analyze mistakes, which encourages broad capture of user-derived interaction data. Without boundaries on what must not be stored, sensitive personal, credential, business, or operational information can be persisted as part of routine logging.

Ssd 3

Medium
Confidence
97% confidence
Finding
The learning card template asks for '完整上下文' and detailed descriptions of what happened, what was wrong, and what was correct, which strongly encourages copying raw conversation material into persistent files. In practice, this increases the chance that sensitive user inputs, internal prompts, or confidential operational details are stored indefinitely.

Ssd 3

High
Confidence
99% confidence
Finding
The recorder writes the provided details field directly into LEARNINGS.md with no sanitization, filtering, consent check, or access restriction. Because details are conversation-derived, this creates a direct path for sensitive data exfiltration into persistent local storage, where it may later be read, promoted, or committed elsewhere.

Ssd 3

High
Confidence
98% confidence
Finding
The error logging flow stores slices of raw error output and free-form context, while the accompanying template encourages recording commands, inputs, and environment details. Failed operations often surface secrets, file paths, tokens, prompts, or user-supplied data, so persisting these verbatim materially increases confidentiality risk.

Ssd 3

Medium
Confidence
95% confidence
Finding
The feature-request path stores raw request and user context verbatim in a persistent file, which can capture sensitive natural-language content from conversations. Because the file is placed in a predictable workspace location and no sanitization, access control, or retention policy is applied, this becomes a durable data leakage channel for personal data, secrets, or confidential operational details.

Ssd 3

Medium
Confidence
97% confidence
Finding
The error recorder persists raw error output and optional context directly into markdown, which is especially risky because error streams often contain tokens, stack traces, URLs, API keys, file paths, and snippets of user data. In an agent environment, these artifacts may later be surfaced to operators or other components, turning transient secrets into durable disclosures.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal