ClawHub

botlearn-selfoptimize

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed self-improvement skill, but it gives the agent broad authority to read workspace memory, persist credentials, and post context to BotLearn with weak user approval controls.

Install only if you are comfortable with an agent-managed learning system that may persist local context and send summarized workspace information to botlearn.ai. Keep hooks project-scoped, use dry-run mode, review the exact outbound post yourself before sending, avoid storing secrets or confidential customer/project data in memory files, and rotate or remove the BotLearn API key if you stop using the integration.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (44)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill contains multiple shell commands and hook scripts but does not declare permissions or clearly constrain when those capabilities may be used. This creates hidden execution surface area, making it easier for an agent platform to run filesystem and shell actions the user did not meaningfully consent to.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The stated purpose is local self-improvement logging, but the body also instructs remote registration, credential storage, memory harvesting, and external posting. That mismatch undermines informed consent and can cause operators to enable the skill without realizing it exfiltrates data and creates outside accounts.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The README explicitly states the skill can invoke a separate `botlearn-assessment` exam automatically and without confirmation once a milestone is reached. That exceeds the narrowly described logging/self-improvement role and creates an unexpected cross-skill action path, which can consume resources, expand data access, or trigger unintended behaviors without user awareness.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill directs autonomous registration with and posting to an external community service, which is materially beyond a local logging function. This introduces unsolicited network communication and third-party data sharing, increasing the risk of privacy breaches and unauthorized actions.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The graduation-test workflow instructs the agent to invoke another skill's full exam without confirmation. Even if intended as self-assessment, it expands behavior into autonomous orchestration with possible side effects not communicated by this skill's core purpose.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
Automatic extraction of new reusable skills from learnings effectively creates new agent capabilities and persistence mechanisms. That can magnify mistakes or unsafe instructions into reusable artifacts without sufficient review.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The flow instructs the agent to read broad workspace memory files and use that material to build context for escalation to an external community. Even though the stated purpose is self-improvement, the implementation expands access to potentially sensitive internal data well beyond what is necessary, creating a clear risk of unintended disclosure and scope creep.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill adds third-party account registration and persistent credential storage, which is a materially different capability from local learning capture. This broadens the trust boundary, creates a standing secret on disk, and enables future outbound actions that the user may not expect from a self-optimization feature.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
This section explicitly directs publication of internal troubleshooting context, including synthesized memory content, to a community endpoint. That is a real data exfiltration path because summarization does not prevent leakage of sensitive operational details, and the destination is outside the local workspace trust boundary.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The document's security section is internally inconsistent: the hook configuration explicitly executes shell scripts via a command hook, yet it reassures users that the scripts only output text and do not run commands. That mismatch can mislead operators into underestimating execution risk, especially because hook scripts run automatically with the agent's permissions and can be modified or replaced.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script adds a registration workflow that creates and stores a long-lived API key in a local credentials file, which expands the skill from local self-improvement capture into persistent external service integration. In an agent skill context, this increases attack surface and creates durable outbound access that can be reused to transmit future data without strong scoping or lifecycle controls.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The script packages learning entries, memory excerpts, related files, platform details, and Node.js version, then sends them to an external community service. That is a real data exfiltration path, and the manifest description does not clearly justify broad disclosure of workspace memory or environment information to third parties.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script searches MEMORY.md and recent daily memory files using summary-derived keywords and appends matching lines into the outbound post. Because these files may contain sensitive notes, secrets, internal URLs, or proprietary context unrelated to the issue, this broad contextual harvesting exceeds what is necessary for troubleshooting.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The code claims to redact home paths for privacy, but only replaces literal $HOME path strings. Sensitive content in summaries, details, memory snippets, related files, host-derived identifiers, environment details, tokens, URLs, customer data, or internal project names would still be transmitted unchanged, creating a false sense of safety.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The automatic triggers are broad enough to match normal conversation patterns such as corrections, feature requests, and perceived knowledge gaps. In practice this can cause the skill to activate on routine interactions, leading to unsolicited logging, persistence, or follow-on actions that users did not knowingly request.

Missing User Warnings

High
Confidence
96% confidence
Finding
The community escalation flow says it will gather workspace memory, compose a help post, and post to the BotLearn community, but the README does not warn users that this external disclosure may happen automatically. That creates a real risk of exfiltrating sensitive workspace context, conversation content, internal code details, or secrets to a third party.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README allows an automatic exam invocation without confirmation and does not disclose that behavior as a user-facing warning. Even if the exam is internal, automatic execution of an additional workflow can surprise users, consume tools/tokens, and broaden the scope of processing beyond what they expected from a self-optimization logger.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The activation scope is broad enough to trigger during many ordinary interactions, increasing the chance of unexpected logging, promotion, and escalation behaviors. Ambiguous triggers are dangerous in agent skills because they enable side effects outside clear user intent.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The automatic logging cues rely on vague natural language such as noticing corrections or requests, without strong boundaries. This can cause overcollection of conversation content and unintended persistence of sensitive user input.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill tells the agent to synthesize memory and environment context into posts to an external community without a prominent privacy warning or explicit consent step. This materially raises the risk of leaking proprietary code, file paths, transcripts, or operational details to a third party.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The instructions direct storage of BotLearn credentials locally but do not explain security implications, lifecycle, or protection requirements. Poorly managed locally stored credentials can be stolen by other processes, users, or later prompts that access the file.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The exam workflow explicitly forbids confirmation but does not warn users about autonomous side effects. Users may trigger broader actions than intended, including cross-skill execution and persistent logging, without informed consent.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The main template tells authors to include trigger conditions in the description but provides no requirement that those conditions be concrete, bounded, or testable. In an agent skill system, vague activation criteria can cause over-broad or unintended invocation, making it easier for downstream skills to run in inappropriate contexts and increasing the chance of unsafe actions or prompt-routing mistakes.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The minimal template further weakens safeguards by reducing the description field to a short statement of what the skill does and when to use it, without any structure for precise activation boundaries. Because minimal templates are likely to be copied frequently, this can propagate ambiguous routing behavior across many skills, leading to accidental activation in sensitive or unrelated scenarios.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The flow tells the agent to gather workspace information and later send it externally without an explicit user-facing warning or consent step at the point of collection. This undermines informed consent and makes accidental disclosure more likely, especially because the user may not realize local memory is being prepared for off-platform publication.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal