ClawHub

Self Improvement

Security checks across malware telemetry and agentic risk

Overview

This skill is not malicious, but it should be reviewed carefully because it encourages persistent agent memory, broad hooks, and cross-session sharing without strong redaction or consent boundaries.

Install only if you want a persistent agent-memory workflow. Keep hooks project-local, avoid always-on empty matchers where possible, never log secrets or raw sensitive output, and manually review any entry before promoting it into agent instruction files or sending it to another session.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The document's security section materially understates behavior by claiming the scripts only output text and do not run commands, while the hook configuration explicitly launches shell commands via the hook system. This can mislead users into granting trust or deploying the hooks without understanding that arbitrary local scripts are being executed in response to prompts and tool events.

Vague Triggers

Medium
Confidence
94% confidence
Finding
An empty matcher causes the activator hook to fire on every prompt, creating an overly broad trigger surface. In a self-improvement skill, that means unscoped automatic execution on all interactions, increasing the chance of unnecessary context injection, prompt interference, data exposure to hook scripts, and user habituation to silent automation.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The user-level configuration enables the hook globally for all sessions without narrowing conditions, so the script runs across unrelated projects and prompts. That broadens blast radius from a single repository to the entire user environment and may cause cross-project leakage of prompt-derived data or unsafe assumptions about where the hook is active.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The so-called minimal setup still uses an empty matcher, so it remains unconditional despite reducing the number of hooks. This preserves the core risk of automatic execution on every prompt while potentially giving users a false sense that the setup is materially safer.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The Codex CLI example also uses an empty matcher, documenting unconditional execution for all prompts in that environment. Repeating the same broad pattern across multiple agents increases the chance of widespread deployment of always-on hooks and normalizes unsafe default scoping.

Ssd 3

Medium
Confidence
95% confidence
Finding
The skill encourages preserving user corrections, errors, and learnings across markdown files and later promoting them into broader memory files. Because no sanitization or sensitivity checks are required, user-provided secrets, internal paths, proprietary prompts, or incident details could be persistently copied into local or shared memory stores.

Ssd 3

Medium
Confidence
97% confidence
Finding
The inter-session communication section explicitly promotes reading other session transcripts and sending learnings across sessions without any data-classification limits. That creates a clear path for plain-language leakage of sensitive material from one session context into another, defeating isolation expectations and increasing the chance of unintended disclosure.

Ssd 3

Medium
Confidence
98% confidence
Finding
The logging template requests full context, actual error output, and input parameters, which commonly contain secrets such as API keys, tokens, emails, customer data, or internal endpoints. Persisting that material into markdown files substantially increases exposure risk, especially if the files are later committed, shared, or promoted into broader memory locations.

Session Persistence

Medium
Category
Rogue Agent
Content
### Option 1: Project-Level Configuration

Create `.claude/settings.json` in your project root:

```json
{
Confidence
89% confidence
Finding
Create `.claude/settings.json` in your project root: ```json { "hooks": { "UserPromptSubmit": [ { "matcher": "", "hooks": [ { "type": "command",

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal