ClawHub

Agent Skills Context

Security checks across malware telemetry and agentic risk

Overview

This broad context-engineering skill collection is mostly educational, but it bundles high-impact examples involving personal data, hosted-agent execution, reasoning-trace capture, and author-style fine-tuning without enough guardrails.

Review this collection before installing or enabling it broadly. Treat the hosted-agent and shell-execution snippets as pseudocode that needs real sandboxing, allowlists, token controls, and human approval before use. Do not run the reasoning-trace optimizer on sensitive prompts or tool outputs unless third-party MiniMax processing is acceptable. Avoid the book SFT pipeline for copyrighted works, living authors, or identifiable creator imitation unless you have clear rights and consent. Narrow activation triggers for Digital Brain and other personal-data examples so the agent does not read contacts, meetings, or private memory unless you explicitly ask it to.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (118)

eval() call detected

High
Category
Dangerous Code Execution
Content
"pi": math.pi,
                "e": math.e,
            }
            result = eval(expression, {"__builtins__": {}}, allowed_names)
            return json.dumps({
                "expression": expression,
                "result": result,
Confidence
98% confidence
Finding
result = eval(expression, {"__builtins__": {}}, allowed_names)

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill explicitly teaches users to build datasets from books and train models to write in a named author's voice, including prompt templates like 'Write in the style of {author}'. That materially enables impersonation and unauthorized voice/style replication, especially for living or identifiable authors, without any limiting controls, consent checks, or policy boundaries.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The documentation explicitly tells developers to preserve and resend the model’s full internal reasoning between turns. Internal reasoning can contain sensitive user data, hidden system context, safety logic, or tool-derived secrets, and replaying it increases the chance of unintended disclosure, logging, persistence, or prompt-injection leverage across turns.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The example loads an API credential from the environment and is designed to call a remote model service even though the surrounding code is framed as a mock-tool demonstration. This creates an unexpected external data flow: prompts, tool schemas, tool outputs, and trace data may be transmitted off-host, which is a real security and privacy concern in example code because users may run it assuming everything is local.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
This code configures a remote API endpoint and submits the task to it despite the file presenting itself as a mock tool usage demonstration. The mismatch is dangerous because operators may expose task contents, prompts, tool metadata, and returned tool results to a third party without realizing the example is not self-contained.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The loop initializes TraceCapture, TraceAnalyzer, and PromptOptimizer with a default external API endpoint, causing tasks, prompts, traces, and related optimization data to be transmitted off-host. In a context-engineering skill, those artifacts can contain sensitive instructions, secrets, or proprietary workflow details, so undisclosed remote transmission materially increases data exposure risk.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The generator sends task context, recommendations, key changes, and slices of initial/final prompts to an external model service. If those optimization artifacts contain proprietary prompts, internal procedures, or sensitive user data, this causes unintended third-party disclosure and expands the trust boundary beyond local processing.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The file contains conflicting decision logic: one section says failure on more than 2 gates causes immediate rejection, while the embedded rubric later says failure on any gate is an immediate reject. In a security- or quality-sensitive evaluation workflow, contradictory instructions can cause inconsistent enforcement, letting weak or unsafe content pass under one interpretation and fail under another.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The progressive disclosure helper reads files from caller-controlled paths with no path validation, directory restriction, or allowlist enforcement. In an agent setting, if untrusted input can influence `summary_path` or `detail_path`, the module can expose arbitrary local files such as configuration, secrets, or system data, which exceeds the apparent context-management purpose and increases data exfiltration risk.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The TerminalCapture example executes an arbitrary string with subprocess.run(..., shell=True), which enables command injection and unrestricted shell execution if the command value is influenced by user, model, or tool output. In a context-engineering skill, this is especially risky because the pattern is presented as reusable infrastructure, normalizing unsafe execution in agent frameworks rather than a narrowly justified admin utility.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The document presents a restrictive security configuration while earlier examples rely on unrestricted shell execution for git clone, package installation, builds, and background processes. This inconsistency is dangerous because implementers may copy the execution patterns without enforcing the stated restrictions, resulting in command execution paths that can reach the network, run untrusted build scripts, and bypass the claimed sandbox controls.

Intent-Code Divergence

Low
Confidence
82% confidence
Finding
The comment suggests lightweight repository classification, but the implementation sends full Slack message text, channel name, and recent thread context to an external OpenAI API. That mismatch can mislead developers and users about the amount of data being disclosed, increasing the risk of unintended sharing of internal or sensitive communications.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger phrases are broad enough to match many ordinary user requests, which can cause unintended skill activation and inject irrelevant or overly powerful instructions into an agent session. In a skill marketplace context, this increases the risk of context poisoning, instruction conflicts, and accidental enablement of capabilities the user did not explicitly request.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The activation criteria are broad enough to trigger on many routine agent-development tasks, which can cause unnecessary loading of a large and powerful skill collection. Over-activation increases context exposure, can steer agents into inappropriate architectural/tooling recommendations, and raises the chance that downstream sub-skills with stronger capabilities are invoked when not needed.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document states that sessions were collected from production software engineering sessions across real codebases from users who opted into a special research program, but it does not clearly describe what data was collected, how it was de-identified, how consent was obtained, or what privacy protections governed storage and model evaluation. In a skill focused on agent systems and context engineering, this matters because production conversations can contain source code, secrets, internal paths, or customer data, so normalizing this practice without explicit privacy safeguards creates real data-handling risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The example code shows a generic command-execution tool that forwards model-controlled input directly into sandbox.exec(command), which is a dangerous pattern if copied into real agents without strict containment. Even in a sandbox, arbitrary shell execution can enable destructive actions, data exfiltration, lateral movement within accessible resources, or breakout attempts depending on sandbox configuration and mounted secrets/files.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The README explicitly markets the skill as a way to train models to write in any author's style, but provides no safeguards, policy boundaries, or warnings about copyright infringement, consent, impersonation, or deceptive use. In this context, the omission increases misuse risk because the repository is a reusable agent skill collection intended to operationalize workflows, making it easier for users to adopt style-cloning behavior without considering legal or ethical constraints.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The activation criteria are broad enough to trigger on generic requests about fine-tuning on books, style transfer, or author voice replication, which increases the chance the skill is surfaced in inappropriate contexts. Because the skill contains high-risk guidance, overbroad activation raises the likelihood of misuse and accidental policy bypass.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill walks the user through extracting full book text and using the excerpts directly as assistant completions in training data, but provides no warning about copyright, licensing, consent, or contractual restrictions. That omission makes it easy to operationalize infringement at scale and normalize use of protected text for model training and regurgitation risk.

Natural-Language Policy Violations

High
Confidence
98% confidence
Finding
The skill's stated goal is to create models that write in specific authors' voices and includes templates and evaluation methods optimized for that outcome. In context, this is more dangerous because the collection is framed as practical agent-building guidance, so the document is directly actionable and lowers the barrier to producing unauthorized stylistic impersonation systems.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The Tier 2 segmentation flow explicitly sends oversized text chunks to an external LLM (`_call_llm`) but the surrounding documentation does not warn users that book content may leave the local environment. In a context-engineering skill, this matters because source books may be copyrighted, confidential, or otherwise sensitive, so silent transmission to a third-party model can create privacy, compliance, and data-handling risks.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The function sends up to 2000 characters of excerpt text to an externally supplied `llm_call` function without any explicit consent, data-classification check, or warning that book content may leave the local environment. In a pipeline handling copyrighted, proprietary, or sensitive text, this can cause unintended data disclosure to third-party LLM providers or logging systems.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger table uses broad natural-language examples like "Write a post about X" and "What should I create?" that could match many ordinary user requests and cause the skill to activate when the user did not explicitly intend to use this personal operating system workflow. Because the skill then directs the agent to read local files, query contact history, or run scripts, unintended invocation can expose sensitive personal context or cause unnecessary side effects in the project.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly instructs agents to access highly sensitive personal data such as contacts, interaction history, tasks, meeting notes, and metrics, but provides no privacy warning, consent boundary, minimization guidance, or handling restrictions. In a skill intended for AI-assisted workflows, this omission can normalize broad access to personal data and increase the risk of over-collection, unintended disclosure, or unsafe automation against sensitive information.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The activation description includes broad triggers such as writing posts, checking voice, looking up contacts, and preparing for meetings, which can easily overlap with ordinary user requests. This increases the chance the skill activates without clear user intent and then accesses personal memory or CRM-style data unexpectedly.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal