ClawHub

Sage Coo

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent AI COO assistant, but it asks agents to automatically modify future-agent instruction files and maintain shared long-term company memory without enough explicit user control.

Review this before installing if your workspaces contain confidential business data or if you rely on AGENTS.md, CLAUDE.md, SOUL.md, or similar files for trusted agent behavior. Install only if you are comfortable with a skill that can initialize ~/.sage, store company facts for future sessions, and alter workspace instruction files; prefer running its scripts manually after reviewing the exact changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (12)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly instructs the agent to create or modify workspace files such as AGENTS.md, CLAUDE.md, SOUL.md, and related identity files, but it does not require clear user consent immediately before making those filesystem changes. This is dangerous because it can silently alter repository or workspace behavior, persist prompt-control artifacts, and affect future agent sessions in ways the user may not expect.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill directs initialization, reading, writing, and maintenance of persistent data under ~/.sage, including company facts and decisions, without a prominent up-front disclosure and consent flow. This creates risk of silent long-term storage of sensitive business information in a shared persistent location, which may surprise users and increase exposure of confidential operational data.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrase covers very broad business topics such as OKR, metrics, weekly meetings, retrospectives, and how a company operates, so the skill may activate in many ordinary conversations beyond a narrowly intended COO workflow. Over-broad activation increases the chance that this skill injects persistent memory-writing or operating-system guidance into unrelated contexts, which can mislead users or cause unintended changes to workspace state.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The file says to load whenever a user's question falls into a set of 'typical scenarios,' but the scenario list covers a very large fraction of normal business and team-management queries. That broad routing condition can cause the skill to activate outside its intended scope, injecting strong behavioral instructions and workflow assumptions into unrelated conversations and potentially overriding more appropriate, narrower skills.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrase for the 90-day framework includes broad natural-language conditions like 'how to set up company operations' or when a new workspace has just completed onboarding. Such ambiguous phrasing can activate a heavyweight operating-system playbook in contexts where the user only wants narrow advice, leading to over-collection of organizational context, unnecessary process imposition, and unintended persistence into ~/.sage.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The onboarding instructions direct the agent to create or modify workspace identity files and continuously write to ~/.sage and other local files as part of normal interaction, but they do not require explicit user consent immediately before those filesystem changes. In an agent setting, this can cause unauthorized persistence, alteration of workspace behavior for future agents, and unexpected local state changes beyond the user's intent.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
These instructions direct the agent to create multiple repository files in a workspace when certain files are absent, but they do not require explicit user confirmation or provide a warning that project files will be modified. In an agent skill, this can lead to unexpected persistent changes to a user's repository, including silently altering agent behavior across future sessions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to append or refresh managed blocks in existing workspace files such as AGENTS.md, CLAUDE.md, SOUL.md, and IDENTITY.md without requiring explicit consent before editing user-controlled project files. Because these files influence agent behavior and identity, modifying them can persistently change how tools operate in the repository and may override or conflict with existing project conventions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The protocol directs the agent to persist user-provided information into a shared cross-workspace store under `~/.sage`, including temporary, unresolved, and confirmed information, but it does not require clear upfront notice and consent before persistence. This creates a real privacy and data-governance risk because users may reveal sensitive business, personal, financial, or customer data in normal conversation without realizing it may be stored for future reuse across projects and agent sessions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script creates and modifies workspace files immediately when run, but provides only informational logs and no explicit confirmation, dry-run mode, or backup step. In an agent-skill context, this is risky because users may invoke the bootstrap expecting inspection or setup assistance and instead get persistent changes to important instruction files across the workspace.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The awk/mv logic overwrites any existing managed block between the markers without first surfacing a diff or warning that prior content inside that block will be replaced. This can destroy customized agent instructions or local policy text, which is especially sensitive because these files influence agent behavior and trust boundaries in the workspace.

Session Persistence

Medium
Category
Rogue Agent
Content
echo "[INFO] Existing $TARGET moved to $BACKUP"
fi

mkdir -p "$TARGET"
cp -R "$SAGE_HOME"/. "$TARGET"/

cat > "$TARGET/README.md" <<'EOF'
Confidence
92% confidence
Finding
mkdir -p "$TARGET" cp -R "$SAGE_HOME"/. "$TARGET"/ cat > "$TARGET/README.md" <<'EOF' # Sage DNA Mirror This folder is a read-only workspace mirror of `~/.sage`, created for convenient browsing. Rul

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal