ClawHub

Skill Engineer

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a coherent skill-building workflow, but it gives agents broad memory access and default Git publishing authority without clear user approval boundaries.

Review before installing. Use it only in workspaces where the agent may search persistent memory and notes, require explicit confirmation before any git commit or push, prefer feature branches and PRs over pushing to main, and review the deepwiki dependency and validation scripts before allowing them to run.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (8)

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The skill advertises itself as a multi-agent design/review/test orchestrator, but the analyzed behavior indicates it actually performs static validation and repository-oriented checks instead. This kind of description-behavior mismatch can mislead operators into invoking the skill in broader trust contexts than warranted, causing unsafe assumptions about what it will do and what side effects it may have.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The document states release pipeline and deployment are out of scope, yet later instructs the orchestrator to commit and push to a remote repository. This contradiction weakens operator trust boundaries and can lead to unauthorized source-control changes when a user believes the skill is limited to local artifact generation.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The skill claims it ends after producing validated artifacts, but later expands behavior to modifying repository history and pushing upstream. This hidden expansion of authority is dangerous because users may permit artifact generation while not intending any persistent or remote state changes.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The rubric explicitly instructs the Reviewer to execute local shell scripts as part of the review process. In a skill document, this grants operational command-execution behavior to a role whose primary purpose is evaluation, and if the referenced scripts or path are compromised, the reviewer could be induced to run attacker-controlled code.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Embedding instructions to commit and push to the main branch without clear warning or consent creates a real integrity risk. A user may invoke the skill for analysis or drafting and unintentionally trigger persistent repository modifications or remote publication, which can damage production branches or leak sensitive content.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The document tells the reviewer to run shell scripts from a local path without any warning, trust boundary clarification, or verification step. In isolation this is mostly a safety and security hygiene issue, but in an agent skill context it normalizes executing repository-local commands that may be modified or malicious.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger list is unusually broad and includes generic phrases such as "review skill," "test skill," "evaluate skill," and "refactor skill," which can cause the skill to activate for loosely related user requests beyond its intended scope. Overbroad activation increases the chance of inappropriate routing, unexpected access to skill-specific capabilities, and security review bypasses if this skill is invoked when a narrower or safer skill should handle the request.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger phrase "help me design a skill" is broad natural language that can appear in many ordinary conversations and may cause the skill to activate when the user did not specifically intend to invoke skill-engineer. In this skill's context, unintended activation is moderately risky because it orchestrates multi-agent design/review/test behavior, which can misroute requests, override more appropriate skills, or expose internal workflow unexpectedly.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal