ClawHub

Init Rules

Security checks across malware telemetry and agentic risk

Overview

The skill does what it claims at a high level, but it can replace persistent agent rule files and run an unscoped setup script without a clear user confirmation step.

Review the generated rule changes before allowing this skill to write anything. Do not let it run setup.sh unless you know exactly which setup.sh will run and have inspected what it does. Consider manually copying the generated markdown into rules/ instead of allowing the skill to replace the whole directory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to execute a destructive shell operation that moves the entire `rules/` directory and recreates it, even though the stated purpose is an interactive interview that generates personalized rule files. This creates unnecessary file-system side effects and can overwrite, orphan, or disrupt existing configuration without explicit user approval at the moment of execution.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The instruction to run `setup.sh` introduces arbitrary script execution beyond the advertised scope of merely generating rule files. Because `setup.sh` could perform any shell action, this expands the skill from configuration generation into broad code execution, creating a serious risk if the script is unsafe, modified, or unexpected in the current environment.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill directs the agent to back up and replace the entire `rules/` directory without a clear user-facing warning that files will be moved and regenerated. In a rule-initialization skill, hidden bulk modification is especially risky because users may expect additive configuration help, not wholesale replacement of existing rule state.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill tells the agent to run `setup.sh` with no user-facing warning about shell execution, which conceals a high-risk action behind a benign-sounding setup workflow. This mismatch is dangerous because users invoking a rules interview may not realize they are authorizing arbitrary local script execution.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal