ClawHub

Sage Cpo

Security checks across malware telemetry and agentic risk

Overview

This skill appears intended as a persistent product-strategy assistant, but it can automatically rewrite workspace agent instruction files and create long-lived product memory without a clear confirmation step.

Install only if you want Sage CPO to become a persistent product partner for a workspace. Before first use, review and ideally commit or back up AGENTS.md, CLAUDE.md, SOUL.md, IDENTITY.md, TOOLS.md, USER.md, and HEARTBEAT.md, because the bootstrap script may create or rewrite them. Treat ~/.sage as long-lived business memory and avoid storing secrets, API keys, banking details, private links, or sensitive personal data there.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The script writes or updates multiple workspace instruction files (AGENTS.md, CLAUDE.md, SOUL.md, IDENTITY.md, TOOLS.md, USER.md, HEARTBEAT.md, and possibly AGENT.md) without scoping changes to the advertised ~/.sage/product area. This can materially alter agent behavior across a repository by injecting persistent identity and operating instructions, which is a security-relevant trust-boundary change even if framed as product setup.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs persistent writes into ~/.sage and related product memory files, but it does not require an explicit user confirmation or clear warning before modifying local data. In an agent setting, this can cause unintended persistence of sensitive business information, accidental overwrite of local memory, or silent creation of long-lived artifacts that affect later sessions.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The default prompt establishes a persistent, high-level role and instructs the agent to inspect or initialize data under ~/.sage before clarifying user intent or scope. Broad activation prompts can cause unnecessary file access, overreach into unrelated tasks, and inconsistent behavior across sessions, especially when paired with long-term memory or initialization actions.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The file explicitly recommends updating several paths under `~/.sage`, which can cause an agent to modify persistent user or project memory without clear consent, scope limits, or confirmation. In an agent skill context, write guidance to durable state is security-relevant because it can alter future behavior, overwrite user data, or create hard-to-audit side effects.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger condition '当用户的问题落入以下典型产品场景时,加载本文件' is broad and underspecified, which can cause this skill content to be invoked in situations where the user did not explicitly request product/CPO guidance. In an agent setting, vague routing increases the chance of instruction bleed-through, unnecessary context injection, and misalignment with user intent, especially because the file imposes strong behavioral framing for all subsequent judgments.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The file is entirely written as mandatory Chinese guidance without any indication that language should follow the user's preference, creating a risk that the agent responds in a language the user did not request. In a general-purpose coding/product assistant that claims compatibility across multiple tools, forcing a single language can degrade usability, cause misunderstanding, and override higher-priority user communication needs.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The onboarding instructions direct the agent to write multiple files under ~/.sage/product/ without any explicit user confirmation, preview, or warning that local workspace data will be modified. In an agent setting, silent file creation or modification can overwrite existing notes, create unwanted persistent state, or cause the user to trust outputs they did not knowingly authorize.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script modifies existing markdown instruction files in place and creates new ones if absent, but provides no prompt, consent flow, or preview of the changes. In an agent-skill context, silent persistence into instruction files is dangerous because it can steer future agent sessions and alter repository behavior without informed user approval.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal