ClawHub

Enoch Tuning

Security checks across malware telemetry and agentic risk

Overview

This skill is not malicious, but it gives an agent broad persistent memory, unattended automation, local permission changes, and optional X account access that users should review carefully before installing.

Install only if you want a highly opinionated, persistent agent setup. Before running it, edit the automation tiers and AFK rules, require approval for external posts/messages, define what memory may store and for how long, review the sudo lock script, and enable the X bookmarks integration only with a dedicated app and protected credentials.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (22)

Lp3

Medium
Category
MCP Least Privilege
Confidence
78% confidence
Finding
The skill advertises only documentation-driven setup, but the installation instructions invoke shell scripts and copy files into the user's workspace, which are code-capable actions. When a skill has effective file-write and shell capabilities without explicit permission declarations, users and tooling cannot accurately assess the trust boundary or consent to the side effects.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill includes instructions to establish a recurring cron job that will run outside the immediate user request flow. Even though presented as optional, scheduled execution creates persistent behavior and can cause ongoing network access or file modifications without a fresh, explicit confirmation each time.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The script performs materially sensitive behavior beyond the generic skill description: it accesses a user's X account, fetches personal bookmarks, persists them locally, and writes a trigger file for a downstream research pipeline. That capability mismatch increases the chance of undisclosed data collection or automation being introduced under an innocuous-looking package description.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The script accesses personal X bookmark data and converts new bookmarks into a research-pipeline input file, which is a meaningful privacy and automation capability. In the context of a broadly described 'production-ready agent' setup, that makes the behavior more dangerous because users may not expect personal social-media data to be harvested and fed into other workflows.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The template explicitly pushes the agent to persist outputs to files and to act with broad internal autonomy ('do it, then report the result') despite this skill being framed as a setup/tuning aid. That expands the agent's operational scope and can cause silent retention of sensitive task data or actions beyond what users reasonably expect from an install-time template.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Describing the agent as 'Chief of staff, research arm, memory bank, infrastructure' and as a steward of life data normalizes broad access and authority that are not justified by the skill's stated purpose. This can bias the agent toward over-collection, overreach, and handling sensitive personal data as if blanket permission already exists.

Intent-Code Divergence

Medium
Confidence
80% confidence
Finding
The file contains conflicting governance: one section says edits require user approval, while the ending encourages the agent to update the file as it learns. Ambiguity in self-modification rules is dangerous because it can be exploited or misinterpreted to justify unauthorized policy drift over time.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This text explicitly endorses autonomous persistence of memory ('writes things down as they happen') and automatic promotion of notes into structured memory without a nearby warning about scope, consent, or data sensitivity. In an agent skill, autonomous file-writing can lead to unintended storage of sensitive user data, privacy leakage, and accumulation of incorrect or unsafe state if the user has not explicitly configured boundaries.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This section encourages the agent to perform autonomous idle-time work ('Then it does the work. It doesn't wait to be asked.') without warning about possible unintended modification of files, state drift, or harmful side effects. Even though examples include useful maintenance tasks, the absence of strict limits makes the behavior risky in production because the agent may overreach, create noise, or change user data unexpectedly.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The README explicitly promotes AFK/idle-time task execution ('does work while you sleep' and mission-driven idle behavior) but does not clearly warn that autonomous actions may modify files, systems, or user data if boundaries are misconfigured. Even though the document mentions some guardrails, the overall marketing language encourages unsupervised operation, which increases the chance of unintended actions in a real deployment.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The memory architecture is described as consolidation-ready with automated nightly consolidation, but the README does not warn that the memory store may contain personal, operational, or otherwise sensitive data. Automating indexing and consolidation of such data can create privacy, retention, and over-collection risks if users are not told to review what is stored and how long it persists.

Missing User Warnings

Low
Confidence
72% confidence
Finding
The installation flow tells users to run shell scripts that create directory structures and lock identity files in the workspace, but it does not clearly warn that these actions will modify and potentially restrict later edits to local files. This can lead users to execute impactful changes without understanding persistence or rollback implications.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrase is broad enough that ordinary requests like 'check bookmarks' or 'sync bookmarks' could invoke a workflow that performs file reads, external fetches, searches, and writes. Underspecified triggers increase the chance of accidental activation of a multi-step process with side effects the user may not have intended.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The optional cron setup directs automatic scheduled execution but does not include a clear warning that it creates ongoing background activity. That can surprise users with repeated syncing, web access, analysis, and downstream actions long after the original interaction.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script reads OAuth tokens, refresh tokens, client ID, and client secret from local credential files and uses them automatically without any interactive disclosure or confirmation. While this may be operationally normal, in a packaged skill it creates a transparency and consent problem around sensitive credential use.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The script overwrites local research and trigger files with current bookmark-derived content, which can silently alter downstream processing inputs and erase prior state. In a larger agent environment, such implicit file mutation is risky because it can trigger other automations or cause data loss without explicit user awareness.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The AFK rule treats 5+ minutes of silence and vague phrases like "afk" or "//" as authorization to begin autonomous work. This can trigger unintended actions during ordinary pauses, context switches, or abandoned chats, especially because the same section instructs the agent to proactively choose and execute tasks from mission-related priorities.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The instruction to save useful research to `research/` creates persistent storage of task-derived information without notifying the user or asking for consent. That can retain sensitive prompts, personal data, or confidential findings longer than intended, increasing privacy and data-retention risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The 'Living Files Rule' mandates writing useful results to markdown files as a standing behavior, with no privacy warning, sensitivity check, or retention policy. This is risky because it turns ephemeral conversations and analyses into durable records that may expose personal or confidential information later.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The template explicitly asks users to provide a Telegram handle and numeric Telegram user ID, which are persistent personal identifiers, without explaining why they are needed, how they will be used, or how they will be protected. In the context of a production-ready agent setup with memory and automation, collecting this data increases privacy and targeting risk if stored, exposed, or reused beyond the user's expectations.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
- **Hard Rules section in SOUL.md** — these are non-negotiable behavioral guardrails
- **Idiot Prevention Protocol in AGENTS.md** — protects your infrastructure from chat-based config changes
- **Verification Protocol** — removing this reintroduces stale data and fake completions
- **Automation tiers** — the boundary between "runs without asking" and "never without instruction" is load-bearing

## File Structure
Confidence
80% confidence
Finding
without asking

Session Persistence

Medium
Category
Rogue Agent
Content
cp skills/enoch-tuning/templates/ops/verification-protocol.md ~/.openclaw/workspace/ops/verification-protocol.md
```

### Step 2 — Create memory structure
```bash
bash skills/enoch-tuning/setup/memory-structure.sh ~/.openclaw/workspace
```
Confidence
76% confidence
Finding
Create memory structure ```bash bash skills/enoch-tuning/setup/memory-structure.sh ~/.openclaw/workspace ``` ### Step 3 — Personalize (required) Edit these files — everything in [BRACKETS] is a place

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal