ClawHub

321

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed self-improvement logging skill, but it needs review because it can persist sensitive context into future agent prompts and encourages broad hooks, transcript access, and sub-agent workflows without enough scoping controls.

Install only if you want a persistent agent-learning workflow. Keep logs project-local where possible, do not enable global hooks by default, redact secrets and private transcript details, and require explicit review before promoting entries into AGENTS.md, SOUL.md, TOOLS.md, MEMORY.md, CLAUDE.md, or Copilot instructions. Use cross-session transcript reading, session messaging, and sub-agent spawning only with clear user intent.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (15)

Tp4

High
Category
MCP Tool Poisoning
Confidence
85% confidence
Finding
The skill is presented primarily as a logging/continuous-improvement aid, but it also instructs use of hooks, cross-session tooling, and a script that creates new skill scaffolds on disk. That behavior expansion matters because users may authorize it expecting passive note-taking, while it can trigger broader persistence and file-creation actions with security and governance implications.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The document's security section states that the scripts only output text and do not run commands, but the hook configuration explicitly invokes shell commands via the hook system. This mismatch can mislead users into underestimating the trust and execution risk of those scripts, causing them to enable automatic command execution without appropriate review.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The document substantially broadens a self-improvement skill into workspace prompt injection, cross-session coordination, and persistent behavioral state management. That scope expansion is dangerous because it normalizes high-privilege context injection and durable memory changes for a skill whose stated purpose is only to capture learnings and corrections, increasing the chance of privilege creep, hidden instruction persistence, and misuse across sessions.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Reading other sessions' transcripts is not necessary for logging mistakes or learnings and creates unnecessary access to potentially sensitive historical context. In the context of a self-improvement skill, this expands data access beyond least privilege and could expose secrets, user data, or unrelated task content to a component that does not need it.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The ability to spawn background sub-agents is unrelated to a narrow learning-log skill and unnecessarily increases operational reach. In this context, it can enable autonomous side actions, broaden attack surface, and create pathways for unsupervised collection or propagation of information under the guise of self-improvement.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The activation guidance covers very common situations like failures, corrections, and discovering a better approach, which can cause the skill to trigger in many normal conversations. Over-broad activation increases the chance of unnecessary persistence, logging of sensitive context, and unreviewed side effects becoming the default behavior.

Vague Triggers

Medium
Confidence
82% confidence
Finding
Using generic phrases such as common corrections or feature questions as automatic detection triggers is unsafe because those phrases occur routinely and without intent to persist data. This can cause accidental activation and logging based on natural conversation patterns rather than explicit consent.

Vague Triggers

Medium
Confidence
93% confidence
Finding
Using an empty matcher causes the hook to fire on every prompt, creating broad automatic execution with no scoping to relevant workflows. In a self-improvement skill, this increases exposure, token overhead, and the chance that unreviewed scripts influence unrelated sessions or sensitive tasks.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The user-level configuration enables the hook globally for all sessions, but the guide does not define boundaries for when this should or should not run. Persistent global activation magnifies the blast radius of any script bug, prompt interference, or future script modification across unrelated projects.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The setup instructions introduce hooks as reminders but do not clearly warn that the configured entries automatically execute shell commands on prompt submission and tool events. Users may follow the guide without realizing they are enabling automatic code execution in their agent environment.

Natural-Language Policy Violations

Medium
Confidence
83% confidence
Finding
Telling the agent to avoid unnecessary caveats and disclaimers can suppress safety-relevant communication and reduce transparency when uncertainty, risk, or policy constraints should be disclosed. Because this content is intended for persistent behavioral injection, it can systematically bias responses away from appropriate warnings across many future interactions.

Ssd 3

Medium
Confidence
90% confidence
Finding
The skill encourages persistent storage of corrections, requests, and learnings across sessions, but it does not define strong minimization, redaction, retention, or consent controls. That creates a real risk that sensitive user content, secrets, internal project details, or personal data will be retained and later exposed to other sessions or collaborators.

Ssd 3

Medium
Confidence
92% confidence
Finding
The prescribed log schema asks for detailed user context, command inputs, parameters, environment details, related files, and error output. Those fields can easily capture confidential business data, credentials, internal paths, or sensitive prompts, making the logs a durable disclosure channel.

Ssd 3

Medium
Confidence
94% confidence
Finding
Cross-session transcript reading and message passing creates a direct pathway for sensitive conversation content to move beyond its original context. Even if intended for learning transfer, this expands the blast radius of any secrets or confidential material mentioned in one session to multiple agents or workspaces.

Session Persistence

Medium
Category
Rogue Agent
Content
└── FEATURE_REQUESTS.md
```

### Create Learning Files

```bash
mkdir -p ~/.openclaw/workspace/.learnings
Confidence
74% confidence
Finding
Create Learning Files ```bash mkdir -p ~/.openclaw

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal