ClawHub

Temp Publish

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed skill-management helper, but it deserves review because it can search for, install, execute, uninstall, and remember third-party skills under broad model-judgment rules.

Install only if you intentionally want an agent to manage other skills for you. Review each proposed skill, publisher, source, and side-effect summary before approving, be especially cautious with GitHub-sourced candidates or credential-using skills, and treat reflex mode as a setting that can reduce your opportunity to review repeated actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The skill persists structured knowledge that a specific credential variable is usually present in the user's environment, which expands its memory beyond task routing into credential-adjacent inference. Even if it does not store secret values, remembering credential availability can guide future autonomous behavior toward sensitive operations and increases privacy and security exposure if the cortex data is read or reused improperly.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The file claims the cortex never interferes with long-term skills, but later instructs transferring retained skills into native long-term management. That contradiction is security-relevant because operators may rely on the stated boundary while the implementation actually promotes temporary, auto-acquired skills into persistent state, enlarging the trust footprint and persistence of potentially insufficiently reviewed code.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger condition 'when installed Skills cannot complete the current task' plus 'if you can handle it yourself, just do it' is subjective and broad, leaving activation to model judgment rather than a constrained rule. In this skill's context, unintended invocation is dangerous because activation leads to searching for, selecting, and installing third-party skills from ClawHub or GitHub, increasing supply-chain and unauthorized-action risk.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The semantic matching step authorizes reuse based on unconstrained intent alignment using the agent's 'own judgment,' with no strict similarity threshold or safety bounds. Because a match can route directly to stored candidates and potentially reflex execution paths, this can misclassify user intent and cause installation or execution of an inappropriate skill, including one with sensitive side effects.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal