ClawHub

Solo Leveling — Life RPG

Security checks across malware telemetry and agentic risk

Overview

This habit-tracking skill is mostly coherent, but it includes under-disclosed phone-call automation, public audio upload, bundled personal state, and recurring cron behavior that users should review before installing.

Install only if you are comfortable with a forceful accountability tracker that stores habit and schedule data locally. Before use, remove the bundled Annu config/player history, avoid adding Twilio or ElevenLabs credentials unless you explicitly want phone-call reminders, and do not allow cron setup unless the exact jobs and removal steps are shown first. The transfer.sh audio upload path should be disabled or replaced with private storage before sending sensitive reminder content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (16)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill requests capabilities for local file writes, environment/config access, and network use without declaring them, which hides its true operational scope from users and reviewers. In this context, those capabilities enable persistence, credential use, and external communication, making the undeclared behavior materially risky rather than incidental.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The described skill is a habit-tracking/gameification tool, but the detected behavior includes outbound phone calls, third-party voice synthesis, public file upload, and credential consumption. That mismatch is highly dangerous because it can exfiltrate personal data, spend money through telephony APIs, and perform external actions the user did not reasonably consent to from the stated description.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Directing the agent to create OS-level cron jobs introduces persistence and recurring execution on the host system, which exceeds what a user would expect from a simple habit-tracking persona. In context, recurring jobs can continue operating after the initial interaction, trigger unintended actions, and make removal or auditing difficult.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill instructs execution of local scripts for initialization, status management, XP updates, and reset operations, expanding it from conversational guidance into arbitrary local code execution. Even if the scripts are intended for benign game-state management, invoking local executables increases the attack surface and can modify files or system state unexpectedly.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
This script adds outbound voice-call automation using Twilio and ElevenLabs, which goes beyond a habit-tracking/gameification skill and creates a real-world communication channel capable of contacting a configured target number without interactive consent at execution time. In the context of an agent skill, this materially increases abuse potential for spam, harassment, coercive reminders, or unintended costly telephony actions, especially because the content is dynamically generated from input text.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code uploads generated call audio to transfer.sh, a public third-party file-hosting service, which exposes potentially sensitive spoken content to an uncontrolled external endpoint and makes it retrievable by URL. This creates confidentiality, retention, and link-leakage risks, and it is especially dangerous because the skill context does not justify public hosting of user-derived voice content.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This script implements outbound telephony and reads Twilio credentials from local configuration, which is a materially more powerful capability than the skill’s stated habit-tracking/gameification purpose. In this context, automated calling can be abused for harassment, coercive reminders, premium-number fraud, or unapproved contact, and the mismatch between manifest and capability increases the chance that users or reviewers will not expect the behavior.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The file includes an external telephony capability that can place real voice calls without any visible in-script user approval flow. Because the skill theme includes 'ruthless' accountability and penalty language, this capability is more dangerous than a neutral notification feature: it can be used to pressure or repeatedly contact a target in ways that exceed normal habit tracking.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger terms are extremely broad, including common words like 'quest,' 'rank,' 'stats,' 'streak,' and 'level up,' so the skill may activate in unrelated conversations. In this case, accidental activation matters because the skill can collect profile data, alter behavior, and potentially initiate persistent or external actions once engaged.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The activation guidance says the skill applies to anything related to The System, quests, leveling, dungeons, or gamified habit tracking, but does not specify when it should not activate. That ambiguity increases the chance of the skill taking over benign discussions and steering them into data collection or system-modifying behavior without sufficient user intent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The onboarding flow collects personal profile and schedule data such as name, timezone, sleep/wake times, and daily routine details, but the description does not warn users that this information will be stored. In a habit-tracking context this data is sensitive because it reveals behavioral patterns and can support profiling or targeted abuse if mishandled.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs setup of recurring cron jobs but does not warn users in advance that it will create persistent scheduled tasks affecting system behavior. That omission is dangerous because users may unknowingly authorize ongoing automated actions, including future network or script execution, beyond the current session.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill specifies collecting photo proof, Telegram activity timestamps, response times, and behavioral pattern analysis to verify user actions, but it provides no consent flow, privacy notice, retention limits, or data-minimization guidance. In a habit-tracking context, this can normalize surveillance of sensitive behavioral and temporal data and lead to overcollection, misuse, or unexpected disclosure of personal information.

Natural-Language Policy Violations

Low
Confidence
87% confidence
Finding
The message template uses coercive monitoring language ('The System is watching. Do not disappoint.') that implies surveillance and pressure without explicit user opt-in. In a gamified habit system already tied to penalties and behavioral detection, this can encourage manipulative engagement patterns and make users feel monitored or compelled beyond their comfort level.

Missing User Warnings

High
Confidence
98% confidence
Finding
Uploading audio content to a public hosting service without explicit warning or confirmation deprives users of informed consent regarding disclosure of message contents and metadata. In a habit/accountability skill, the audio may contain sensitive personal details, routines, or motivational content, so silent public upload significantly raises privacy risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script sends account credentials, destination phone number, and message content to Twilio over the network, but provides no user-facing notice, confirmation, or consent mechanism at send time. Even though the transport is HTTPS, this is still a privacy and safety issue because sensitive personal data and behavioral prompts are transmitted to a third party and can trigger real-world contact without an explicit approval step.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal