ClawHub

Close Loop

Security checks across malware telemetry and agentic risk

Overview

This skill is not deceptive, but it can automatically commit changes and write memory/config files when broad wrap-up phrases are used, so it needs review before install.

Install only if you want a close-out skill that can make local repository changes. Prefer dry-run first, require explicit confirmation before commits, file moves, memory/rule updates, and handoff writes, and ensure push/deploy/publish policies are clear before using it in autonomous sessions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
This phase authorizes sensitive repository actions such as committing, pushing, and potentially running deploy scripts as part of a routine end-of-session workflow, but it does not require explicit user confirmation or narrowly define safe conditions. In an agentic context, bundling these capabilities into a default close-out step can cause unintended code publication, remote changes, or production-impacting execution from ordinary session state.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger phrases include generic conversational terms like 'wrap up', 'close session', and 'end session', which can easily appear in ordinary dialogue and unintentionally invoke the workflow. In this skill, unintended invocation is more dangerous because the workflow can perform end-of-session actions and persist memory or prepare shipping-related outputs, potentially causing unauthorized state changes.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The phrase 'or equivalent phrase' leaves the activation boundary undefined, which increases the chance that the agent will infer intent from nearby conversational language and run the workflow unexpectedly. Given this skill's ability to update memory and queue external actions, ambiguous invocation semantics create a meaningful risk of accidental execution.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README states that memory may be persisted into project files such as 'docs/memory/...', 'CLAUDE.md', and '.claude/rules/*', but the skill description does not prominently warn users that invoking the workflow can write session-derived content into the repository. This is dangerous because users may trigger a session wrap-up expecting a summary, while the skill may silently create durable artifacts containing sensitive, incorrect, or prompt-injected content.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The instruction to commit uncommitted changes with descriptive messages directs the agent to modify repository history without first warning the user or obtaining confirmation. Even if the change is local, an automatic commit can preserve unintended edits, sensitive material, or incomplete work and make later review or rollback more error-prone.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Automatically moving document files changes user-managed content and paths without an explicit warning, which can break references, workflows, or expectations about file organization. In a broad end-of-session skill, this is especially risky because the criteria for when a file is 'misplaced' are not defined and may be inferred incorrectly.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The instruction to invoke another skill to write a handoff file does not disclose that it will create or modify files, which reduces transparency around filesystem changes. While lower risk than commit or deploy actions, silent file creation can still surprise users, leak task context into persistent storage, or overwrite existing handoff artifacts.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal