ClawHub

Agricultural Output Forecasting

Security checks across malware telemetry and agentic risk

Overview

The forecasting and billing features mostly fit the stated purpose, but the package includes an under-disclosed long-running self-evolution daemon and inaccurate privacy claims about stored user identifiers.

Review before installing. Use a non-sensitive user_id, expect local trial records to remain until deleted, and configure only trusted SkillPay credentials while monitoring token charges. Do not run auto-evolve-daemon.sh unless you intentionally want a long-running background process, and treat the privacy and setup docs cautiously because they do not fully match the code.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The README states that no personally identifiable information is collected, yet the examples explicitly pass a user_id into the forecasting function and CLI. Even if the identifier is pseudonymous, this creates a contradiction that can mislead users about privacy handling and may result in collection or transmission of user-linked data without proper disclosure.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The documentation claims no personally identifiable information is collected, yet the interface requires a user_id and returns per-user trial and balance state. Even if user_id is a pseudonymous identifier, it is still account-linked data and can become personal data when tied to a user account or external records, making the privacy statement misleading.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script implements an unattended auto-evolution daemon that repeatedly invokes a self-modifying component (`self_evolve.py`) against the skill directory forever. In the available context, there are no guardrails, approval gates, scope restrictions, or integrity checks, so the skill can change its own behavior over time in a way that is opaque to users and difficult to audit.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The daemon runs indefinitely in the background and only records activity to a log file, providing no interactive notice, consent, or runtime safety control. This creates a persistence mechanism for repeated execution of arbitrary future logic in `self_evolve.py`, increasing the chance of unnoticed harmful changes or resource abuse.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The example states that calling `forecast_output` automatically deducts 1 token, but the surrounding documentation does not clearly warn users before the charge occurs or describe consent/confirmation expectations. In a billing-integrated skill, silent or under-disclosed charges can lead to unauthorized spending, user deception, and compliance issues even if the charge amount is small.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal