ClawHub

鲁班.Skill

Security checks across malware telemetry and agentic risk

Overview

This skill is a plausible skill optimizer, but it asks for broad authority to inspect, edit, test, and maintain many skills with some automatic behavior that is not tightly scoped.

Install only if you want an agent to maintain skills at repository scale. Use it in a version-controlled workspace, require explicit confirmation before every write, avoid providing secrets or confidential prompts during repair/testing, and treat periodic maintenance, web refresh, child-agent testing, and bulk optimization as opt-in Review items rather than default behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (15)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The manifest presents this as a skill optimizer/reviewer, but the body also authorizes periodic autonomous maintenance, health checks, and knowledge refresh workflows. This scope expansion can cause the skill to run unattended or perform actions the user did not reasonably expect from the declared purpose, increasing the chance of unintended modifications or tool use.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The CASCADE module performs external knowledge retrieval and update checks, which goes beyond the stated purpose of optimizing skill files and introduces network-facing behavior. That expands the trust boundary, can leak repository context through queries, and may pull in untrusted external content that later influences skill modifications.

Intent-Code Divergence

High
Confidence
95% confidence
Finding
The document claims all modification operations require user confirmation, but other sections state that edits or maintenance actions automatically occur after file changes. This policy contradiction is dangerous because an agent may follow the more permissive path and make unauthorized persistent changes or test-artifact writes without the user's informed consent.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger phrase “评估所有skills” is broad enough that ordinary user requests about reviewing skills could unintentionally activate bulk evaluation behavior. In a skill that reads multiple SKILL.md files, unintended activation can cause unnecessary access across the workspace and produce actions at larger scope than the user expected.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The pattern “优化 <skill名>” is generic natural language and can overlap with normal discussion about improving a skill, making accidental activation plausible. Because this operation performs assessment and iterative modification planning, an ambiguous trigger increases the risk of unintended file analysis or edit workflows being started.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The bulk command “优化所有skills” lacks specificity and does not include guardrails or examples distinguishing it from ordinary requests, so it could be invoked when the user did not intend a repository-wide operation. In this skill’s context, bulk optimization can cascade into multiple evaluations and edits, amplifying the consequences of a mistaken trigger.

Missing User Warnings

Medium
Confidence
77% confidence
Finding
The Quickstart states that Full mode dispatches child agents to independently execute test prompts, but it does not warn users that this expands operational scope, resource usage, and possible side effects. In an agent skill that may evaluate or optimize many skills, child-agent execution increases the blast radius of prompt-triggered actions and can surprise users who expect only local dry-run analysis.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The documentation mentions automatic rollback and writing to history files, which implies the optimization process modifies skill files, but it does not explicitly warn users about those file changes. This can lead to unintended repository modifications, especially when combined with ambiguous optimization triggers and bulk workflows.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The top-level trigger list includes broad phrases like 'luban' and generic requests about improving a skill, which can match ordinary conversation and invoke the skill unexpectedly. Unintended activation is risky here because the skill can evaluate, rewrite, queue maintenance tasks, or prepare file modifications in repositories without a narrowly scoped user request.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Module trigger phrases such as health-check style requests are vague and lack repository or file scoping. Because this skill controls maintenance workflows, ambiguous activation can cause it to inspect or prepare changes for unintended skills or projects.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Additional invocation phrases for update operations are broad enough to match unrelated requests about refreshing or updating content. In this context, accidental activation is more dangerous because the module may initiate external lookups or append to references based on a loose natural-language match.

Vague Triggers

Medium
Confidence
83% confidence
Finding
Colloquial phrases for distillation and hardening are too imprecise for reliable activation, especially in normal collaboration. Since these modules can propose deletion, archival, or rule hardening, accidental invocation could lead to unnecessary or harmful repository churn.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The invocation keywords and routing rules are broad enough that normal user requests like '检查技能' or '更新技能知识' could unintentionally trigger this skill. In this context, the skill is designed to analyze, propose, and sometimes perform changes to skill files and references, so over-broad activation increases the risk of unauthorized or unintended maintenance actions on agent behavior.

Ssd 3

Medium
Confidence
92% confidence
Finding
The failure-repair workflow directs collection of complete user instructions, invocation parameters, outputs, and feedback. That creates a clear data retention surface where sensitive prompts, secrets, internal paths, or proprietary outputs may be preserved in natural-language artifacts longer than necessary.

Ssd 3

Medium
Confidence
90% confidence
Finding
Automatically persisting generated regression tests and expected behaviors to tests.yaml can semantically encode sensitive user requests or confidential repository context into durable artifacts. Over time this becomes a memory-like leakage channel, especially if tests are committed to source control or reused across runs.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal