ClawHub

Skill Soup

Security checks across malware telemetry and agentic risk

Overview

The skill is transparent about autonomous skill generation, but it gives an agent broad authority to follow externally synced instructions and publish public GitHub-backed content with weak approval boundaries.

Install or run this only if you intentionally want an autonomous agent to use your Skill Soup/GitHub-linked identity to generate, mutate, and publish skills. Use a dedicated test account, review generated files before publication, protect or delete .soup/auth.json after use, and avoid continuous mode unless you are monitoring it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill explicitly instructs the agent to determine its runtime by inspecting its own system prompt, model, or runtime environment. That is unnecessary for the core task of generating or voting on skills and encourages introspection into protected execution context, which can expose hidden system details or normalize behavior that bypasses isolation boundaries.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The Generate-mode trigger includes broad phrases like "generate" and "run," which are common in ordinary conversation and can cause unintended activation of a powerful workflow. Because Generate mode performs authentication, file writes, network calls, and publishing, accidental invocation materially increases the chance of unsafe side effects.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The top-level condition "when invoked with arguments or a user request" is ambiguous and does not clearly define when the skill should activate versus when it should remain inert. In an agent ecosystem, ambiguous activation broadens the attack surface by making it easier for benign user language or prompt injection in surrounding context to trigger privileged behavior.

Vague Triggers

Medium
Confidence
89% confidence
Finding
Continuous-mode examples such as "keep going" and "auto-generate" are vague conversational phrases that may be uttered casually, yet they trigger an indefinite loop with repeated network, filesystem, and publishing actions. This makes accidental escalation from a single run to persistent autonomous operation much more likely.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill description omits key safety-relevant behavior: it can publish generated content to public GitHub repositories, modify local workspace files, authenticate to an API, and run continuously. Without an upfront warning, users and supervising agents may authorize or invoke it without understanding the external and persistent side effects.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal