ClawHub

Skill Onboarder

Security checks across malware telemetry and agentic risk

Overview

I could not find the referenced skill artifact files in the workspace, so the scanner concerns are unverified rather than proven.

Do not treat this as a strong install approval until the actual skill package is reviewed. If the package does perform automatic writes into core agent, soul, workspace, or memory files, require an explicit user confirmation, a visible diff, narrow trigger scoping, and a clear rollback path before installing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (8)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger list includes very generic terms like "installed," "new skill," and "wire," which can match ordinary conversation and cause the onboarding logic to run unintentionally. In this skill's context, unintended activation is risky because the workflow reads multiple files and proceeds toward modifying core soul/memory/agent state after only a confirmation step, increasing the chance of unauthorized or accidental wiring of a skill.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger list is broad enough to match common conversational language such as "installed" or "new skill," which can cause this skill to activate unintentionally. In this skill's context, unintended activation is especially risky because the described behavior reads multiple skill files and writes into core system files, creating a pathway for accidental or adversarial self-modification of the agent state.

Vague Triggers

Medium
Confidence
93% confidence
Finding
Repeating ambiguous activation terms in the markdown documentation reinforces a design where ordinary user text can invoke onboarding behavior without clear boundaries. Because the skill's stated function injects content from newly installed skills into soul, memory, and agent files, an accidental trigger could let untrusted skill content influence persistent core configuration.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The hook description uses an extremely broad activation condition, 'On trigger', without defining what event or phrase actually causes execution. In the context of a skill that automatically reads multiple control files and injects content into core system files, this ambiguity increases the chance of unintended or overly frequent activation, enabling unauthorized onboarding behavior or persistence through accidental trigger matches.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The file explicitly states that installation will write into soul/master.md, agent/skills-active.md, and workspace/_index.md, but provides no user approval step, review gate, or warning. Because the skill's purpose is to read other skill files and inject their contents into core memory/agent locations, this creates a direct pathway for privilege expansion, persistent prompt/context poisoning, and silent modification of system behavior.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The template instructs installers to add arbitrary trigger keywords that are scanned on every input, but it provides no scoping rules, collision avoidance, or negative examples to prevent overbroad activation. In the context of a skill that auto-wires content into core agent files, vague trigger definitions can cause unintended or attacker-chosen activation paths, making downstream injected rules and hooks execute far more often than intended.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The 'Always Fires' field explicitly permits unconditional activation on every turn with only a yes/no toggle and no policy constraints, approval requirement, or safety boundary. Given this skill's purpose is to inject behavior into agent state and enforce hard rules that can block responses, unconditional activation can effectively create persistent global behavior hijacking or denial of service across all interactions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The template normalizes hooks that fire on errors or before every response and write into memory or raw error storage, while also requiring creation of filesystem paths, yet it gives no user-facing disclosure or consent language about these side effects. In an auto-onboarding skill that reads skill documents and injects into soul/memory/agent files, silent file modification and persistent state writes materially increase the risk of covert persistence, data leakage, and tampering with core behavior.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal