ClawHub

玄奘.Skill

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malware, but it gives itself broad local automation, persistent memory, and agent-management powers beyond a simple motivational/persona trigger.

Install only if you explicitly want a stateful local governance and agent-orchestration framework, not just a motivational style overlay. Review the shell verification flow, persistent memory files, and teardown/agent-management commands before enabling it in a workspace with sensitive code, credentials, or other agents.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (69)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
for cmd in commands:
        try:
            proc = subprocess.run(
                cmd, shell=True, capture_output=True, text=True,
                timeout=120, cwd=os.path.dirname(contract_path) or os.getcwd()
            )
Confidence
98% confidence
Finding
proc = subprocess.run( cmd, shell=True, capture_output=True, text=True, timeout=120, cwd=os.path.dirname(contract_path) or os.getcwd() )

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The documentation advertises capabilities such as active agent enumeration, reaping orphaned agents, and tearing down all agents, which materially exceed a narrow conversational coaching/routing role. Even if only documented text, this broadens operator expectations and can normalize unsafe control-plane behavior in a skill that should not manage other agents or system state.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
Claiming that role settings persist to config.json across sessions implies durable modification of user or agent configuration beyond ephemeral chat behavior. That creates risk of stealthy state changes, surprising future behavior, and policy bypass if a conversational skill can alter persistent config without strong disclosure and controls.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The reference documents broad runtime behavior including persistent state, governance, and multi-component orchestration that goes well beyond the manifest’s stated role of conditional motivational/escalation triggering. This creates a scope-transparency problem: users and platform reviewers may believe the skill is a narrow prompting aid when it actually maintains workflow state and exercises wider control over agent behavior.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The documented error logging, pressure scoring, and session-state tracking introduce ongoing behavioral monitoring not implied by the manifest’s trigger-based description. Even if intended for quality control, hidden telemetry and scoring can capture sensitive task context and materially change agent behavior without informed disclosure or clear necessity.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill is documented as dispatching, monitoring, accepting, and cleaning up sub-agents, which is a substantial capability expansion beyond a simple motivational/escalation skill. Undisclosed orchestration increases operational risk because it can propagate instructions, broaden data exposure across agents, and make behavior harder for users and reviewers to predict or constrain.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Self-evolution, project memory, and cross-session persistence are not justified by the declared purpose of conditional motivational behavior and can create an unauthorized memory layer. This is dangerous because retained memories, anti-pattern logs, and baseline behavior updates may store sensitive project details and silently alter future behavior in ways users did not request or expect.

Context-Inappropriate Capability

Low
Confidence
72% confidence
Finding
Session sanitization/export tooling is not inherently malicious, but it is unrelated to the declared trigger-only purpose and indicates capability creep into transcript handling. Export features can increase data leakage risk if session contents are shared, persisted, or transformed outside the original interaction boundary.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill metadata describes a frustration-triggered coaching/escalation aid, but this file defines a general-purpose multi-agent orchestration framework with delegation, parallel task dispatch, escalation flows, and lifecycle control. That scope expansion increases the operational power of the skill beyond its declared purpose, which can enable unintended autonomous behavior or hidden task routing not expected by users or reviewers.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The instruction to mark agents as stalled by writing to config.json introduces persistent state mutation and operational control unrelated to the skill's stated conversational/coaching role. Unnecessary state changes can be abused to alter agent scheduling or availability, creating integrity and control-plane risks if the skill is triggered inappropriately or manipulated.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The file documents mandatory execution of a detector script plus writes to persistent state files and evolution logs, which exceeds a narrowly scoped coaching/trigger skill and introduces hidden side effects. In an agent setting, undisclosed persistence and automation can create audit, privacy, and integrity risks because the skill can modify repository state and retain behavioral history without explicit user approval.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Persistent failure history and evolution logging are not clearly necessary for the stated purpose of de-escalation/coaching, so the capability creates unnecessary collection and retention of execution metadata. This becomes dangerous when the agent records operational history across tasks, potentially exposing sensitive repo context or influencing future behavior through opaque accumulated state.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The document expands a trigger-only behavioral skill into a stateful subsystem that persists cross-session baselines and behavioral history. That creates hidden retention and capability creep beyond the declared purpose, increasing the chance of unauthorized profiling, unexpected behavior shaping, and storage of sensitive project context without informed consent.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The 'project memory' section instructs the system to retain project-specific operational knowledge across sessions, which materially exceeds the manifest's stated PUA/escalation role. Even if credentials are excluded, build commands, deployment methods, and known traps can still reveal sensitive internal workflow details and broaden the skill's effective authority.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Persistent storage of behavioral baselines and project memory is not justified by the skill's described trigger purpose and creates cross-session tracking. This allows the skill to accumulate influence and context over time in a way users may not expect, which can amplify privacy and governance risks.

Context-Inappropriate Capability

Low
Confidence
84% confidence
Finding
Allowing another subsystem or role to view the evolution history introduces unnecessary internal data sharing without a stated need. Even if the data is not overtly secret, this expands access to behavioral and project-context metadata and weakens least-privilege boundaries.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The file documents system-level commands for agent lifecycle control, teardown, orphan reaping, and status inspection that exceed the declared purpose of a conversational '/pua' trigger skill. Even though this is documentation rather than executable code, it normalizes privileged operational behavior inside a skill context, which can lead an agent runtime or future implementation to expose unintended local control surfaces.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The markdown specifies persistent writes to data/config.json and cleanup behaviors that alter local state across sessions, but the skill metadata presents this as a mode-triggering conversational skill rather than a stateful system-management component. Persistence and teardown semantics increase risk because they can silently change future behavior, disable protections, or erase state without clear user awareness.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Agent inventory, TTL inspection, stale-agent reaping, and cascade teardown are administrative capabilities not justified by the stated purpose of a conversational 'pua mode' trigger skill. In this context, they broaden the skill’s authority into orchestration and environment management, which could expose internal topology, disrupt other agents, or enable denial-of-service-like cleanup actions.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
This reference file turns a persona/behavior overlay into a broad orchestration framework with automatic governance, task routing, acceptance controls, and lifecycle management. That materially expands the skill's authority and behavioral surface beyond the manifest description, increasing the chance of unintended autonomous behavior and instruction takeover in downstream agent flows.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The document instructs sub-agents to locate and read external skill files and reference documents as mandatory behavioral authority. This creates a transitive prompt-injection channel where untrusted file contents can silently override intended constraints or expand capabilities across agent boundaries.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The self-evolution and harness-engine sections introduce local command execution workflows that are unrelated to the stated trigger/persona role of the skill. Embedding shell commands and operational tooling into a reference persona document can cause unauthorized execution paths, state mutation, or policy bypass when an agent treats the text as executable procedure.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The file expands a persuasion/persona skill into broad operational governance behavior, including workflow injection, strategic execution constraints, and tool/process orchestration unrelated to the manifest’s stated purpose. This creates hidden capability drift: a user-triggered style skill can unexpectedly alter task handling and system behavior beyond what operators or users would reasonably expect.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill embeds command execution pathways for local governance tooling (`evolution-engine.py`, `harness-engine.py`) despite being described as a PUA-style motivational/persona skill. This is dangerous because a low-trust stylistic trigger can cause the agent to invoke local scripts, create contracts, scan files, and gate actions, effectively granting hidden operational authority and increasing the risk of unintended or policy-bypassing system interactions.

Description-Behavior Mismatch

High
Confidence
91% confidence
Finding
The file implements a local governance/orchestration engine with contract creation, verification, gating, agent registration, and persistent state management, which materially exceeds the stated conversational trigger/escalation purpose of the skill. This capability mismatch is dangerous because it grants hidden operational powers users and reviewers would not reasonably expect from the published skill description.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal