ClawHub

Feedback-Loop-v2

Security checks across malware telemetry and agentic risk

Overview

The skill mostly behaves like a local feedback-report generator, but its custom rule feature can run arbitrary Python code and its generated files can carry forward sensitive input data.

Install only if you trust the skill package and will run it on non-sensitive, user-selected inputs. Do not use custom suggestion_rules.json files from other people unless the eval-based rule engine is replaced or sandboxed. Run it in a dedicated output directory, review generated observation/specification files before reusing them, and avoid feeding it logs or specifications that contain secrets, credentials, private prompts, or confidential business data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

eval() call detected

High
Category
Dangerous Code Execution
Content
for rule in rules:
        condition = rule["condition"]
        try:
            if eval(condition, {}, context):
                key = rule["suggestion"][:60]
                if key not in seen:
                    suggestions.append({
Confidence
99% confidence
Finding
if eval(condition, {}, context):

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill advertises and documents file read/write behavior through its scripts and generated artifacts, but no declared permissions are surfaced to the user. That mismatch weakens consent and review boundaries because a caller may invoke the skill without realizing it will read inputs and create or overwrite files in the working directory.

Vague Triggers

Medium
Confidence
80% confidence
Finding
Claiming the skill can observe 'any system or execution' creates unclear activation boundaries and encourages use on arbitrary targets, including sensitive environments. In security-sensitive agent ecosystems, vague scope increases the chance of unintended data access, misuse, or over-trusting the skill's applicability.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The guidance to analyze 'any process, script, or agent execution' is overly broad and lacks limiting conditions on what data may be ingested. This makes the skill more likely to be invoked on sensitive outputs or high-risk workflows without proper review, especially because the skill also claims autonomous artifact generation and iterative updates.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The outputs section states that runs produce multiple files in the current directory or output directory, but it does not clearly warn about creation and possible overwrite behavior. This can lead to accidental clobbering of existing files, leakage of derived analysis artifacts, or unsafe use in directories containing important project data.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The self-improving loop automatically carries forward and extends observations, regression tests, and potentially specifications across runs, but the description does not warn users that persistent artifacts are being modified. In practice this can create integrity and change-control risks, especially if generated tests or updated specifications are later trusted as authoritative inputs.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The documentation states that the skill will add regression tests to `updated_specification.json` and automatically bump the specification version, but it does not clearly warn users that invoking the tool can modify or generate specification artifacts. In a self-improving loop that processes external inputs, undocumented automatic file mutation can lead to unintended state changes, corrupted workflow inputs for later cycles, or abuse if untrusted data influences what gets written.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill accepts custom suggestion rules from disk and then passes their condition strings into eval() without warning, sandboxing, or validation. In this skill context, that is more dangerous because the component is explicitly designed to ingest observations and optional external config files in automated feedback loops, increasing the chance that untrusted or tampered rule files get executed during routine analysis.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The orchestrator loads externally supplied observation, analysis, outcome, and specification JSON files and later persists their contents into generated artifacts such as reports and updated observation/specification files. In a feedback/analysis skill, those inputs can contain secrets, internal prompts, identifiers, or operational data, so this creates a real data propagation and disclosure risk even though it is not overtly malicious.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal