ClawHub

Strategy Interview

Security checks across malware telemetry and agentic risk

Overview

The skill’s instructions are mostly coherent for guided strategy drafting, but its metadata declares financial and purchase capabilities that are not justified by the artifacts.

Install only if you are comfortable with a skill that keeps local strategy-interview notes and can create strategy-draft.md, strategy-notes.md, and .beagle/strategy state files. Before enabling it, verify that the marketplace capability labels for financial authority and purchases are not granting real permissions, because those labels do not match the skill’s documented behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The guidance instructs the agent to write to `strategy-notes.md`, which adds persistent document-modification behavior beyond the skill’s stated purpose of guided strategy conversation. Expanding a conversational skill into file-writing creates an unnecessary side effect surface, increasing the risk of unauthorized data retention, hidden state, or unintended modification of workspace files.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
A skill described as a guided conversation should not implicitly gain document-maintenance capability through reference guidance alone. This mismatch between declared function and actual behavior can mislead users and orchestrators about what the skill may do, enabling unintended persistence or modification of artifacts during what should be a transient advisory interaction.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
These scenarios instruct the skill to create persistent `.beagle` state and strategy artifacts even though the skill is described as a guided conversation tool. That expands the skill from ephemeral interviewing into document generation and durable storage, which can cause unauthorized retention of sensitive strategic information and enable actions outside the user’s expected scope.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The scenarios prescribe drafting, composition, and artifact synthesis workflows that go beyond interviewing and critique. This increases the chance that the skill will generate authoritative-looking strategy documents or store derived content without clear authorization, creating scope creep and possible mishandling of confidential business information.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The file presents these behaviors as canonical for a strategy-interview skill, but several entries direct review, drafting, persistence, and composition workflows inconsistent with an interview-only role. Such role contradiction is dangerous because downstream agents may trust the reference file and execute broader capabilities than users or platform policy expect.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The template instructs the agent to write `strategy-draft.md` and `strategy-notes.md` into the user's current working directory by default, but it does not explicitly warn the user or require confirmation before creating files. This can lead to unexpected file creation or overwriting in whatever directory happens to be active, which is a real safety issue even though the content is not inherently malicious.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal