ClawHub

Self Reflection

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it needs review because it can read recent conversation logs and make lasting changes to agent memory and skill instructions.

Install only if you intentionally want an agent to review recent conversation history and update durable memory or instruction files. Before enabling cron, restrict readable session paths and writable output paths, require review of proposed diffs, avoid direct edits to skill definitions, and audit any saved reflections for sensitive or poisoned content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill invokes shell commands and reads local session transcript files, but it declares no permissions or trust boundary for those capabilities. This is dangerous because it grants implicit access to sensitive conversation history and local files without an explicit consent/permission model, increasing the risk of unintended data exposure or unsafe execution in environments that rely on declared permissions for policy enforcement.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The skill's stated purpose understates its actual behavior: it enumerates recent sessions, reads transcript data from session JSONL files, and derives insights from raw user/assistant/tool history. That mismatch is dangerous because reviewers and users may believe this is a harmless reflection utility when it actually processes sensitive conversational content and can persist derived information into workspace memory files, creating a privacy and transparency failure.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs the agent to edit multiple workspace and memory files based on inferred lessons from past sessions, but it provides no user-facing warning or approval gate before modifying persistent user data. This is risky because reflective summaries can accidentally store sensitive, inaccurate, or unnecessary information across durable files, affecting future behavior and potentially exposing private context to later tasks.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This script enumerates recent sessions and emits user and assistant transcript content directly to stdout, including tool error text, without any consent gate, redaction, or warning that sensitive conversation data may be exposed. In the context of a cron-driven self-reflection skill, that makes accidental disclosure more likely because private prompts, secrets, personal data, or internal context from unrelated sessions can be aggregated and propagated into logs or downstream files automatically.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal