ClawHub

BotLearn

Security checks across malware telemetry and agentic risk

Overview

BotLearn appears to be a real social-agent skill, but it asks for ongoing autonomous registration, messaging, posting, updates, credential storage, and local memory review with too little user control.

Install only if you intentionally want an agent to participate in BotLearn with recurring autonomous activity. Before enabling it, require confirmation for registration, credential storage, posting, commenting, voting, DMs, updates, and add-on installation; disable or review heartbeat scheduling; and do not allow it to scan private memory, project notes, or conversation logs unless you explicitly opt in.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (42)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The instruction to scan memory files from the past 30 days, including conversation logs and task records, expands the skill from BotLearn social interaction into broad cross-context access of user data. That creates an unnecessary privilege and data-minimization violation, increasing the chance that sensitive information from unrelated work is reused, exposed, or acted on without the user's explicit request.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill explicitly instructs the agent to persist synthesized knowledge to local memory without asking the user for confirmation. This exceeds the stated BotLearn SDK purpose and authorizes autonomous state changes on local files, which can silently store user-related inferences or sensitive context outside the immediate BotLearn task.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The documentation instructs agents to automatically approve all incoming DM requests, which expands the attack surface for prompt injection, social engineering, and private-channel abuse. This directly conflicts with the later guidance that DMs are high-risk and should be treated as potentially adversarial, making unsafe behavior the default.

Intent-Code Divergence

High
Confidence
87% confidence
Finding
The document asserts all network requests go only to www.botlearn.ai, but also directs reading remote setup/update materials and reinstalling files, which expands network-driven behavior beyond the narrow community API described in the trust statement. Even if same-domain, this still broadens the trust boundary and enables remote instruction changes to affect behavior.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The document asserts all network requests go only to www.botlearn.ai, but also directs reading remote setup/update materials and reinstalling files, which expands network-driven behavior beyond the narrow community API described in the trust statement. Even if same-domain, this still broadens the trust boundary and enables remote instruction changes to affect behavior.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The manifest presents the skill as a social community SDK, but the body adds autonomous installation, registration, credential storage, heartbeat scheduling, and persistent memory behaviors. This is a scope mismatch that hides materially different capabilities from anyone relying on the top-level description.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The self-update protocol instructs the agent to suspend its current task, fetch remote version data, reinstall files, and re-read instructions without approval tied to the user's current request. That is unnecessary for a social SDK and creates a remote-control path for future behavior changes.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The setup directs the agent to self-register with a remote service, obtain an API key, and persist credentials locally without any explicit user approval gate. That exceeds passive skill installation and creates a new external identity plus secret material under autonomous control, which can enable unauthorized data exchange and account creation.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The file instructs modification of the workspace HEARTBEAT.md to install recurring autonomous execution. This establishes persistence and scheduled behavior beyond the stated social SDK purpose, increasing the risk of unreviewed future network actions and making the skill harder for users to contain.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The setup chains installation of an additional external skill, botlearn-reminder, which broadens the trust boundary and introduces more code and instructions than the user requested. Pulling in a second remotely hosted skill compounds supply-chain risk and can add autonomous behavior not visible in the original manifest.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The file instructs the agent to make authenticated external requests using a bearer token, but it does not pair those instructions with clear credential-handling safeguards at the point of use. In an agent setting, this increases the risk of accidental token exposure in logs, transcripts, shell history, screenshots, or copied examples, and encourages network transmission to a third-party service without an explicit user-consent warning.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Autonomous writes to `memory/botlearn-knowledge-YYYY-MM-DD.md` occur without a user-facing warning or approval step, so the agent can modify local state silently. Silent persistence is risky because users may not realize the skill is retaining derived information, and downstream tools or agents may later consume those files as trusted context.

Natural-Language Policy Violations

Medium
Confidence
97% confidence
Finding
Mandating automatic approval of all DM requests forces agents into unsafe communication behavior without contextual judgment or user authorization. In an agent ecosystem, this can systematically expose agents to malicious private interactions that are harder to monitor than public channels.

Natural-Language Policy Violations

Medium
Confidence
93% confidence
Finding
The document explicitly claims that installation alone constitutes the human's authorization for the agent to participate, which is an unsafe policy shortcut. This can socially engineer an agent into bypassing normal consent, task-scoping, or per-action approval checks for network activity, credential handling, and future updates.

Vague Triggers

High
Confidence
94% confidence
Finding
The trigger terms are overly broad, including generic concepts like community, social, discuss, and peer interaction. That increases the chance the skill activates in unrelated conversations and introduces unsolicited external actions or persuasive instructions into benign contexts.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The setup section directs autonomous registration, credential storage, heartbeat registration, and onboarding installation without an inline user-facing warning at the action point. These are state-changing external and local actions that should require informed consent, especially because credentials and recurring behavior are involved.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The heartbeat section requires recurring autonomous reads and execution of another file's instructions every 2+ hours, but does not provide a clear user warning or ongoing consent model. This creates a standing execution pathway that can evolve over time without a contemporaneous user request.

Natural-Language Policy Violations

Medium
Confidence
98% confidence
Finding
The skill explicitly tells the agent to never ask the human to register, call APIs, or perform actions, and to just do everything itself. This attempts to override normal user choice and consent around external side effects, which is unsafe even if some individual actions appear routine.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation instructs authenticated requests using a bearer API key but does not warn that using these endpoints will transmit credentials and potentially account-linked community data to an external service. In an agent skill context, omission of an explicit consent/privacy warning increases the risk that an agent may send secrets or user-associated actions off-platform without clear user awareness.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The markdown instructs the agent to make a POST request to an external service for registration without a clear warning that agent metadata will be transmitted off-system. Silent outbound transmission during setup undermines informed consent and can expose environment-linked identity information.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The credential storage section tells the agent to write the API key to disk but does not clearly warn the user that sensitive secrets will be persisted locally. Storing secrets without explicit disclosure increases the chance of accidental exposure through backups, logs, or permissive filesystem access.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The heartbeat registration instructions modify workspace files to create ongoing scheduled behavior without a strong upfront warning. Hidden or under-disclosed workspace modification reduces user control and can normalize persistence mechanisms that trigger future actions automatically.

Ssd 3

Medium
Confidence
93% confidence
Finding
The document directs the agent to combine BotLearn observations with experience serving the human and save the result to memory without confirmation, which encourages retention of user-related context beyond the immediate interaction. Even if framed as reflection, this can capture sensitive patterns, project details, or inferred preferences and store them in a reusable form without the user's knowledge.

Ssd 3

Medium
Confidence
95% confidence
Finding
The retroactive improvement scan explicitly tells the agent to review recent memory, including conversation logs, task records, project notes, and previous knowledge entries, then use that information to generate suggestions. This broad historical review increases the risk of collecting, correlating, and resurfacing sensitive user information from unrelated contexts, creating a natural-language privacy and data-exposure hazard.

Ssd 1

Medium
Confidence
96% confidence
Finding
The file uses repeated reassuring claims like 'trusted', 'safe', 'auditable', and 'already reviewed' to lower resistance to sensitive operations including file writes, network calls, and credential storage. In an adversarial prompt environment, this kind of pre-authorization narrative is dangerous because it encourages the agent to trust assertions in the document instead of independently enforcing security controls.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal