ClawHub

Lena Learning

Security checks across malware telemetry and agentic risk

Overview

This skill is an instruction-only memory helper, but it asks to persist conversation-derived data broadly and can alter future agent behavior without clear user approval or limits.

Review before installing. Use this only if you intentionally want persistent conversation memory, remove the bundled Thomas-specific notes first, and require explicit approval before it writes memory or edits AGENTS.md, TOOLS.md, USER.md, or similar control/profile files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (15)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The workflow explicitly allows updating AGENTS.md or TOOLS.md based on conversational corrections, which extends far beyond passive learning or note-taking. Letting routine user feedback propagate into core instruction files creates an instruction-injection and persistence risk, because untrusted conversation content can alter future agent behavior across sessions.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Core agent and tool instruction files define trusted behavior boundaries, so permitting this skill to rewrite them based on detected corrections is a serious privilege escalation. An attacker could disguise adversarial instructions as feedback and permanently weaken safeguards or alter tool usage policies.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger conditions are broad and ambiguous (for example, 'am Ende jeder Session', 'bei signifikanten Entscheidungen', and a daily heartbeat), which can cause the skill to run without clear user intent or informed consent. In this skill's context, unintended invocation is especially risky because activation leads to persistent writes of conversation-derived data into memory files.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill description says the agent learns from every conversation and improves automatically, but it does not clearly warn users that content may be written persistently to files like MEMORY.md, USER.md, TOOLS.md, and daily logs. This is dangerous because users may disclose sensitive information under the assumption of ephemeral processing, while the skill normalizes silent long-term retention.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger 'Am Ende jeder Session' is broad and underspecified, making the workflow likely to run in many normal situations without clear user intent. Broad activation increases the chance of unintended data extraction and persistence, especially when the workflow scans recent messages for feedback and preferences.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The correction handler is triggered by loosely defined 'correction patterns,' which can easily overlap with ordinary discussion, disagreement, or quoted text. Because the workflow then stores content and may propagate it further, ambiguous matching can persist unintended or attacker-controlled data.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The workflow writes extracted learnings, corrections, and preferences into dated memory files without any notice or consent mechanism. Silent persistence of user-derived data creates privacy and retention concerns and can preserve sensitive or incorrect information beyond the original conversation.

Missing User Warnings

High
Confidence
96% confidence
Finding
This workflow not only persists corrections with timestamps but may also update AGENTS.md or TOOLS.md, all without explicit warning. That combines hidden persistence with modification of trusted agent instructions, substantially raising the risk of stealthy policy drift and long-term compromise.

Natural-Language Policy Violations

Medium
Confidence
76% confidence
Finding
Hard-coding a specific user's language and behavioral preferences without opt-in or dynamic validation can cause incorrect profiling and persistent misapplication of preferences. While lower severity than instruction-file modification, it still creates privacy, consent, and reliability issues when preferences are assumed rather than explicitly confirmed.

Ssd 3

Medium
Confidence
97% confidence
Finding
The objective explicitly instructs continuous learning from every conversation and storage of insights, corrections, and preferences for future responses. That broad retention model creates a strong risk of collecting sensitive user data, credentials, proprietary information, or contextual details that can later be exposed, misused, or inappropriately surfaced in other interactions.

Ssd 3

Medium
Confidence
96% confidence
Finding
The memory system directs the agent to maintain daily logs, long-term memory, and user/tool preference files, including 'raw notes'. In practice, raw session notes and preference files are likely to capture sensitive details from conversations, increasing the chance of later disclosure through prompts, file access, or cross-session reuse.

Ssd 3

Medium
Confidence
98% confidence
Finding
The post-conversation routine mandates identifying new learnings and updating memory files after every interaction, which encourages indiscriminate retention rather than selective, consent-based storage. In this skill, the danger is amplified because the workflow is systematic and automatic, making overcollection and persistence of sensitive information the default behavior.

Ssd 3

Medium
Confidence
90% confidence
Finding
The skill directs the agent to retain session learnings, corrections, and preferences across conversations in memory files, creating persistent user profiling and data retention behavior. This becomes dangerous when the stored content is derived from untrusted conversation text and may include sensitive, mistaken, or manipulative inputs.

Ssd 3

Medium
Confidence
95% confidence
Finding
Automatically saving corrections with timestamps and potentially propagating them into agent configuration creates a durable attack path from transient chat content into future system behavior. Timestamping also increases traceability of user interactions, compounding privacy concerns alongside the persistence risk.

Ssd 3

Low
Confidence
82% confidence
Finding
Continuously monitoring and recording a named user's preferences across conversations is a form of persistent profiling. In this skill's context, the danger is mostly privacy and consent related, but it becomes more concerning because the workflow is framed as automatic and ongoing rather than user-controlled.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal