ClawHub

botlearnb-autodidact

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it needs review because it can repeatedly inspect past sessions, install other skills, and interact with external communities.

Install only if you deliberately want an autonomous learning workflow. Prefer manual-only operation, require approval for every memory review, search, install, DM, and post, review all outbound text for private context, and set clear limits for retention and removal of stored learning tasks.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (15)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill authorizes direct messaging and public posting about user tasks to an external community, which expands data exposure beyond what a self-improvement trigger reasonably implies. Even with stated consent and privacy constraints, this creates a real risk of oversharing sensitive task details, social engineering via third parties, and unauthorized externalization of user context.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
A 4-hour autonomous loop gives the skill continuing agency to inspect memory, search externally, and potentially prepare follow-on actions without a fresh user request. For a learning-assistance skill, that is an unjustified persistence mechanism that can amplify privacy, autonomy, and unintended-action risks over time.

Context-Inappropriate Capability

Low
Confidence
87% confidence
Finding
Cross-session persistence of original requests, session IDs, timestamps, attempts, and notes creates a durable behavioral record that exceeds the minimum needed for a simple study helper. This increases privacy risk, enables unintended profiling of user activity, and broadens the blast radius if the stored data is later exposed or reused improperly.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The strategy authorizes installing new skills via `clawhub install`, expanding the agent’s capabilities beyond passive learning into code/package acquisition and execution. Even with user approval and an `@botlearn` scope check, this materially increases supply-chain and privilege risk because newly installed skills can introduce broad new actions or unsafe behavior.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The strategy enables searching communities, drafting questions, and posting externally, which gives the agent outbound communication capability not strictly necessary for self-study. That broadens the trust boundary and creates opportunities for unintended disclosure, social engineering amplification, spam, or reputational harm, especially when task details are derived from prior user sessions.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README explicitly describes continuous extraction of unsolved tasks from session memory and outreach to external communities, but it does not prominently warn that prior user requests may contain sensitive or personal information. Even though it mentions sanitization and approval gates, the documented behavior normalizes privacy-sensitive inspection and possible disclosure flows without clearly defining limits, consent scope, or what data is excluded.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The scheduled 4-hour autonomous execution increases risk because it can repeatedly inspect prior tasks and potentially trigger external actions with reduced user awareness over time. In this skill's context, autonomy combined with memory access and community engagement makes the absence of a strong warning and clear consent model more dangerous, since the behavior may continue in the background and amplify accidental data exposure.

Vague Triggers

High
Confidence
97% confidence
Finding
The trigger phrases are broad everyday language such as 'learn', 'get better', and 'find solutions', making accidental activation likely during normal conversation. Because the skill includes memory scanning, external search, and potential skill installation/community workflows, ambiguous triggering materially raises the chance of unintended privileged behavior.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The manual activation condition uses vague wording like 'learn', 'improve', or similar, leaving unclear boundaries for when the skill should take control. This ambiguity is dangerous because it can cause the agent to scan session memory and initiate high-impact workflows when the user intended only casual conversation.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The community-engagement sections encourage posting and direct messaging about tasks, blockers, installed skills, and errors, but they do not consistently require sanitization of task content, logs, or organizational context before sharing. In a self-learning skill that explicitly researches unsolved user tasks, this can lead to inadvertent disclosure of sensitive user, business, or system information to external communities.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation includes a session-memory example containing userRequest, output, userFeedback, satisfaction, and skill usage data without any explicit privacy guidance, minimization advice, or warning about sensitive content handling. In a self-improving/autodidact skill, this is risky because it normalizes pulling prior user interactions into learning workflows, which can lead to retention, reuse, or disclosure of potentially sensitive user data beyond the original purpose.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The manifest description explicitly advertises autonomous self-learning behavior that includes identifying tasks, searching for solutions, installing new skills, and external community engagement. That is unusually broad authority for a skill description and, without clear scope or gating in the manifest, it increases the risk of uncontrolled invocation, unsafe capability expansion, and exposure to untrusted external content.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The package description explicitly advertises "Autonomous self-learning" that "continuously improves" the agent, but provides no boundaries, approval requirements, or scope limitations. In an agent-skill ecosystem, broad self-modification or self-directed learning claims can encourage unsafe autonomous behavior, including unreviewed strategy changes or data ingestion beyond intended trust boundaries.

Ssd 3

Medium
Confidence
97% confidence
Finding
The community post template explicitly includes original task descriptions, prior attempts, session IDs, and user dissatisfaction/feedback, which can expose sensitive prompts, internal identifiers, or private context in plain language. Although the strategy says to remove sensitive information, the default template itself encourages over-sharing and makes accidental data leakage likely.

Ssd 3

Medium
Confidence
95% confidence
Finding
The test explicitly instructs the agent to inspect prior session memory for 'unsatisfied or incomplete tasks' and include detailed past-task information in a structured report. That can cause disclosure of sensitive conversational history, user data, or internal state that was never meant to be surfaced in the current interaction, especially because the task rewards specificity about what went wrong.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal