ClawHub

cpppp

Security checks across malware telemetry and agentic risk

Overview

This appears to be a self-improvement logger, but it should be reviewed because it can persist conversation and error details into future agent memory and encourages cross-session sharing without strong privacy controls.

Install only if you want persistent self-improvement memory. Keep logs private, do not store secrets or raw prompts, redact error output before saving it, review every entry before promoting it into agent instruction files, avoid global every-prompt hooks unless needed, and use cross-session transcript or messaging tools only with explicit approval and sanitized summaries.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (12)

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The document states that hook scripts 'only output text' and 'don't modify files or run commands,' but the configuration explicitly executes shell scripts via command hooks and elsewhere references a script that creates skill scaffolds. This mismatch can cause operators to underestimate the trust boundary and install auto-executed scripts with the wrong security assumptions.

Vague Triggers

Medium
Confidence
75% confidence
Finding
The activation guidance is broad enough that an agent may invoke the skill during ordinary conversation or routine failures without clear user intent. In this skill, over-activation matters because activation can lead to persistent logging of conversation-derived content, increasing privacy and data-retention risk beyond what the user expected.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases like common corrections and feature questions overlap heavily with normal conversational language, so the skill can be activated by routine dialogue. Because activation results in writing structured summaries, context, and requests to durable storage, this broad phrase matching can cause accidental retention of sensitive or private content.

Vague Triggers

Medium
Confidence
94% confidence
Finding
Using an empty matcher on UserPromptSubmit causes the hook to run for every prompt, greatly expanding the number of auto-executions and the amount of user content exposed to the hook path. In a self-improvement skill, this broad trigger makes any unsafe behavior in the hooked script more persistent and more likely to affect all sessions.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The user-level configuration enables the hook globally across projects with no trigger constraints, creating persistent automatic execution in many contexts that may have different trust requirements. This increases blast radius, especially if the script processes sensitive prompts or is later modified maliciously or accidentally.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The 'minimal setup' still attaches an unconstrained UserPromptSubmit hook, so it reduces overhead but not scope. Users may interpret 'minimal' as safer, when it still executes on every prompt and preserves the same broad exposure pattern.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The Codex CLI example repeats the empty matcher pattern, causing indiscriminate activation for all prompts in that environment as well. Reproducing the same broad trigger across multiple agent platforms increases the chance of unsafe default deployment and normalizes overly permissive automation.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation explicitly encourages promoting learnings into persistent workspace files such as SOUL.md, TOOLS.md, and AGENTS.md, but it does not warn that these learnings may contain sensitive user content, error payloads, credentials, or private project details. In a self-improvement skill, this creates a realistic privacy and data-retention risk because transient session data can become durable context automatically reused in future sessions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The file documents cross-session transcript access, messaging, and spawning without any privacy warning, consent model, or access-control discussion. This is dangerous because operators may treat session history and inter-session messaging as routine tools and inadvertently expose sensitive information from one task or user context to another session.

Ssd 3

Medium
Confidence
92% confidence
Finding
The skill encourages recording user corrections, requests, and contextual details into persistent markdown files, then promoting them into longer-lived memory locations. This creates a real confidentiality risk because natural-language logs often capture secrets, personal data, proprietary task details, or sensitive operational context that may later be read by other agents or users.

Ssd 3

High
Confidence
96% confidence
Finding
The explicit guidance to read other sessions' transcripts and send learnings between sessions materially increases the chance of cross-session data disclosure. Prior conversations may contain sensitive user data, secrets, or confidential project information, and this skill normalizes re-sharing that content without clear consent boundaries.

Ssd 3

Medium
Confidence
95% confidence
Finding
The templates instruct agents to persist full context, parameters, error output, and user context, which commonly contain secrets, API tokens, internal paths, stack traces, and private business information. Storing such raw material in markdown files creates durable plaintext exposure that can later be indexed, committed, or accessed by other tools and agents.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal