ClawHub

Proactive Intelligence

Security checks across malware telemetry and agentic risk

Overview

This skill is broadly disclosed as a proactive memory and skill-evolution tool, but it can persistently change agent guidance and other installed skills with loose scoping.

Install only if you intentionally want an agent to keep long-term local memory and help modify other skills. Before running init.py, back up workspace Markdown files, remove the default trading rules from memory.md, avoid running the missing/unreviewed init.ps1 path, and require manual diff review before any change to installed skills or agent instruction files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (13)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def run_command(self, cmd):
        """运行命令并返回输出"""
        try:
            result = subprocess.run(
                cmd, 
                shell=True, 
                capture_output=True,
Confidence
95% confidence
Finding
result = subprocess.run( cmd, shell=True, capture_output=True, text=True, encoding='utf-8' )

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill advertises and documents file read, file write, and shell-style initialization/evolution actions, but declares no permissions in metadata. That mismatch creates a trust and enforcement gap: operators or platforms may treat the skill as low-privilege while the instructions explicitly encourage state mutation and command execution, increasing the chance of silent overreach.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The skill includes explicit uninstall commands for other skills even though its core purpose is memory, proactivity, and self-improvement. A self-modifying or management-oriented skill with authority to remove other skills can disrupt user environment integrity or suppress safeguards, especially if triggered under broad 'optimization' logic.

Intent-Code Divergence

Medium
Confidence
81% confidence
Finding
The safety section is internally inconsistent: it says actions leaving the machine require confirmation, yet permits network search and calendar checks freely. Ambiguous boundaries are dangerous because agents may interpret external requests, API calls, or calendar access as pre-authorized and exfiltrate sensitive context without a clear consent step.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The initialization script scans the shared workspace and performs in-place edits on all top-level Markdown files, not just files owned by this skill. That creates an integrity risk because unrelated user notes or other skills' documentation can be silently altered during setup, which is especially dangerous in an agent environment where the user may not expect broad workspace mutation from an init step.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
This code can directly rewrite files belonging to other skills under the shared skills directory after only a minimal prompt/confirmation flow. In a self-improving or proactive skill, cross-skill write access is especially risky because a bug, bad heuristic, or later feature expansion could corrupt trusted automation code or introduce persistence into unrelated skills.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The evolution trigger conditions are overly broad, including automatic fixes when syntax errors, 'better implementations,' feedback, vulnerabilities, or bottlenecks are detected. In a skill that can edit other skills and run tooling, such vague triggers can cause unauthorized code changes or cascading self-modification without clear operator intent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The initialization flow says it will automatically sync and rewrite workspace markdown paths, which implies modifying user/project files. Because this data mutation is presented as part of setup without strong warning or consent, it risks unintended edits, corruption of project documentation, or propagation of stale assumptions across files.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script creates multiple directories and files and may overwrite content in existing Markdown files without any confirmation, dry-run mode, or warning. Silent filesystem mutation increases the chance of accidental data corruption, surprising side effects, and unauthorized persistence in the user's environment.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The installation guide instructs users to run initialization scripts that create files and directories and 'sync workspace .md paths' without clearly disclosing the scope of file modifications, backup recommendations, or exact files affected. In a skill that advertises self-improvement, memory, and skill management, undisclosed workspace rewriting is more dangerous because it normalizes persistent modification of user data and agent state.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The tool writes modified source files to disk once content changes are computed, but it does not provide a clear file-by-file disclosure of exactly what will be changed before the write occurs. In a skill that edits code, insufficient transparency materially raises the risk of unintended code changes, silent breakage, or operator approval without understanding scope.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The report generator persists analysis data about other skills to disk without prominently disclosing that the data will be stored in a separate memory directory. Even if the content is not highly sensitive by itself, writing inventory and issue data about local codebases can expose project structure and findings to other local processes or users.

Ssd 3

Medium
Confidence
95% confidence
Finding
The logging and memory design instructs the agent to persist broad conversation-derived content, including corrections, context, preferences, errors, and related files. That creates a durable natural-language data retention surface where sensitive user information, secrets, project details, or behavioral profiles may be stored in plain text and later exposed or misused.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal