ClawHub

claw-graceful-recovery

Security checks across malware telemetry and agentic risk

Overview

This skill is not malicious, but it needs review because broad triggers can stop and reset active work, and it may silently write recovery details to a local log.

Install only if you want Claw to automatically abort and reset failed WeChat tasks. Before enabling broadly, narrow triggers to explicit permission-denial signals, require confirmation for generic stuck or unresponsive cases, and either disable the fallback log or define redaction, retention, and deletion rules for any recovery metadata written to disk.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The documentation tells operators not to expose full system paths, yet its user-facing examples include sensitive-looking absolute paths such as /var/log/system.log and /etc/hosts. Even as examples, this normalizes leaking filesystem structure to end users and may lead implementers to copy unsafe templates into production responses, increasing information disclosure risk during error handling.

Intent-Code Divergence

Low
Confidence
84% confidence
Finding
The example response uses technical permission language such as "root required," which conflicts with the policy to avoid technical terms in user feedback. This can confuse users and leak environment-specific privilege details that are unnecessary for recovery-oriented messaging.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger list includes broad, everyday phrases such as '卡住了', '无响应', '强制恢复', and '恢复待命', which can plausibly appear in normal user conversation and unintentionally activate the recovery skill. In this context, accidental activation is security-relevant because the skill clears task context, stops current work, and may skip failures, allowing denial-of-service of active tasks or unwanted state resets through ambiguous chat input.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger list includes vague phrases such as 'stuck' and 'unresponsive' that can activate the recovery workflow outside genuine permission-error conditions. In an agent skill that clears task context and alters execution flow, overbroad activation increases the risk of unintended task cancellation, state loss, or denial of service through accidental or adversarial triggering.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill instructs the agent to silently append recovery details to a local log when WeChat is unavailable, without notifying the user or defining retention limits. Even though the template is brief, logging operation names and error types can create undisclosed local persistence of potentially sensitive task metadata and may violate privacy or data-handling expectations.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal