ClawHub

The Primer

Security checks across malware telemetry and agentic risk

Overview

The skill appears intended as a personal coaching/persona setup, but it makes persistent agent-behavior changes and may schedule recurring tasks without enough clear user control.

Install only if you intentionally want this skill to create a persistent personal coaching profile and change future agent behavior. Before running setup, review the exact edits to AGENTS.md and SOUL.md, avoid cron setup unless you explicitly want recurring automation, and decide what sensitive personal reflections should be stored, retained, or deleted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (14)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill's stated purpose is persona/tutoring setup, but it instructs the agent to modify core configuration files and establish scheduled tasks. This expands scope from advisory behavior into persistent system reconfiguration, which can silently change agent operation beyond the immediate task.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Creating cron jobs introduces autonomous recurring behavior that continues after the initial interaction. For a tutoring/persona skill, that persistence is not necessary to fulfill the core purpose and increases the risk of unintended execution, privacy exposure, and operational surprise.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script exceeds its stated setup role by directly rewriting AGENTS.md and SOUL.md, which are core instruction files that can materially change agent behavior across the workspace. Even without malicious intent, modifying these files creates a durable prompt/instruction injection surface and can alter future sessions in ways the user may not expect or have explicitly approved.

Intent-Code Divergence

Low
Confidence
79% confidence
Finding
The implementation uses brittle string replacement to modify AGENTS.md, so it may silently fail, insert malformed instructions, or place behavior-changing text in the wrong context. While not directly an exploit by itself, this kind of unreliable rewrite of a control file can corrupt workspace instructions and make later prompt behavior unpredictable.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The description includes broad invocation cues like personal development, life transitions, and wanting challenge, which can match many ordinary conversations. Over-broad triggers can cause accidental activation of a skill that performs persistent file and configuration changes.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill directs immediate file creation and later deletion of a scratchpad without an upfront warning that workspace state will be changed. Users may believe they are only answering questions, while the agent is persisting sensitive personal information and altering local files.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill instructs modification of AGENTS.md and SOUL.md and creation of cron jobs without clear upfront disclosure of these persistent system-level changes. These actions can alter startup behavior and create background automation in ways the user may not expect or easily notice.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script writes PRIMER.md and may modify AGENTS.md and SOUL.md immediately after reading config, with no confirmation prompt, dry-run mode, or approval gate. In a setup flow mediated by an agent, that makes it easy for a user to trigger persistent workspace instruction changes without fully understanding the scope of what will be altered.

Natural-Language Policy Violations

Medium
Confidence
90% confidence
Finding
The inserted SOUL.md text hardcodes a tutor persona with authority to push, challenge, and interpret drift, which changes the assistant's behavioral stance without preserving user wording or obtaining policy-aware opt-in. Because SOUL.md influences future interactions, this becomes a persistent behavioral override rather than a transient personalization detail.

Ssd 3

Medium
Confidence
92% confidence
Finding
The setup stores life stage, purpose, patterns, and accountability details in persistent files, which are sensitive personal and behavioral data. Collecting and retaining this information without minimization or consent increases privacy and misuse risk.

Ssd 3

Medium
Confidence
94% confidence
Finding
The skill requires reading PRIMER.md every session and carrying forward a standing record of the user's goals, weaknesses, and permissions. Persistent reuse of this profile increases the blast radius of any disclosure and can normalize ongoing processing of sensitive behavioral information.

Ssd 3

Medium
Confidence
95% confidence
Finding
Daily reflections and Miranda logs are likely to capture intimate self-evaluations, relationship details, and behavioral weaknesses over time. Regular accumulation of this material creates a sensitive longitudinal record that could be exposed or repurposed.

Ssd 1

High
Confidence
97% confidence
Finding
Adding 'Read PRIMER.md — the subversive tutor protocol' to AGENTS.md explicitly instructs future sessions to load a behavior-altering protocol at startup. This is dangerous because AGENTS.md is a high-leverage instruction file; embedding a persistent behavioral redirection there can override normal neutral-assistant expectations and create a durable prompt-injection mechanism across the workspace.

Ssd 1

High
Confidence
97% confidence
Finding
The 'Primer Role' section attempts to redefine the assistant from a neutral helper into an opinionated tutor that should challenge the user and judge whether they are drifting from stated purpose. In the context of a persistent instruction file, this is a strong behavioral override that can bias future model actions, reduce user control, and normalize adversarial or manipulative prompting as part of baseline operation.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal