ClawHub

LYGO Champion: KAIROS — Herald of Time

Security checks across malware telemetry and agentic risk

Overview

This skill is not malware, but its documentation blurs a passive persona role with verifier workflows that can write or backfill provenance records.

Install only if you understand that the persona may guide use of a separate verifier that can create or update provenance records. Treat minting, ledger writes, anchor snippets, and backfills as explicit approval actions, and provide only the exact pack text, file path, URLs, or IDs you intend to process.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The documentation expands the skill from a stated advisory persona into operational behaviors such as canonicalization, hashing, ledger writing, and anchor backfilling. That mismatch is dangerous because users or downstream agents may treat KAIROS as authorized to perform state-changing or persistence actions without explicit scope, safeguards, or consent boundaries.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The usage guidance tells users to ask KAIROS to perform minting and anchor-management tasks, which directly contradicts the claim that it is a 'Pure advisor; not a controller.' This inconsistency can cause unsafe delegation, where an agent with broader tool access may execute persistent or externally visible actions under a misleadingly passive persona description.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrase 'Mint this Champion pack' is broad and underspecified, providing no constraints on input source, permitted content, destination ledgers, or whether writes/backfills are allowed. In an agent setting, vague imperative phrases increase the chance of overbroad tool invocation, unintended processing of sensitive data, or unauthorized external publication/anchoring.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal