ClawHub

Evolution Toolkit

Security checks across malware telemetry and agentic risk

Overview

This is a coherent self-improvement toolkit, but it should be used only in workspaces where local memory persistence and Gemini API sharing are acceptable.

Install only for a workspace where you intentionally want persistent self-audit and session-memory files. Set EVOLUTION_TOOLKIT_WORKSPACE to a narrow directory, keep secrets out of CURRENT.md, daily memory logs, test cases, and playbooks, periodically delete old imprints/reports/fingerprints/history, and run skill-optimizer only with content you are comfortable sending to Gemini. Treat --dry-run on the optimizer as no-output-write only, not as offline or no-network mode.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (14)

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The header and usage text describe the script as generating fingerprints from text, but do not disclose that single-file runs are auto-persisted to a workspace history by default. This mismatch can cause users to process sensitive journal or reasoning content under the assumption of ephemeral analysis, leading to unintended retention of potentially private data.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The script labels execution as 'DRY RUN' but still performs live generation and evaluation requests to the external Gemini API. This can mislead users into believing no network calls, data disclosure, or billable usage will occur, causing unintended transmission of playbooks and test cases as well as unexpected cost.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The README promotes session handoff, prediction logging, cognitive fingerprinting, and cross-session coherence features that are likely to persist agent- or user-derived data to workspace files, but it does not clearly warn operators about privacy, retention, or sensitivity risks. In an agent skill context, silent persistence of conversational or behavioral data can lead to unintended storage of sensitive prompts, user content, or derived profiles across sessions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README instructs users to supply API keys and run the optimizer, but it does not disclose that external model requests may include playbook contents or other workspace-derived material. This creates a data exfiltration and confidentiality risk because operators may unknowingly transmit proprietary instructions, internal workflows, or sensitive text to a third-party model provider.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The protocol says it should be integrated into the assistant's default engagement style for any non-trivial problem, which makes activation overly broad. That can cause the agent to apply a questioning-heavy interaction pattern in many ordinary contexts where direct assistance is expected, potentially degrading task performance, delaying action, or interfering with user intent.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The phase-detection table maps very common phrases like 'I think,' 'Should I,' and 'Write' to behavioral modes, making misclassification likely during normal conversation. If the protocol activates based on these broad linguistic cues, the agent may enter the wrong mode and systematically provide the wrong type of assistance, such as withholding recommendations or adding friction when the user wants execution.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script automatically appends fingerprint data to a persistent history file without prior warning or user confirmation. In this skill context, the analyzed inputs are likely reflective writing or cognitive/self-analysis text, so silent persistence increases privacy risk by retaining sensitive behavioral or psychological metadata that users may not expect to be stored.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
This script reads all daily memory logs from a workspace directory, analyzes their contents, and writes a synthesized report to disk, but it provides no explicit consent prompt, privacy warning, scope restriction, or redaction of sensitive content. In a memory/journaling context, this can expose highly sensitive personal or project information and create a second derived artifact that is easier to browse, copy, or exfiltrate than the original logs.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script automatically reads up to 20 lines from CURRENT.md and embeds that content into a durable imprint file without an explicit consent step, preview, or redaction workflow. If CURRENT.md contains secrets, sensitive operational notes, or user data, this silently expands retention and exposure to anyone or any later process that can read the imprint directory.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This function sends full test case data and playbook contents to a third-party API without any explicit user-facing disclosure or consent at runtime. If those inputs contain proprietary workflows, customer data, or sensitive prompts, users may unknowingly expose confidential material to an external service.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The evaluator transmits output artifacts and test case content to Gemini without prominently warning the user that these materials leave the local environment. Because generated outputs may themselves contain sensitive data derived from prompts or test fixtures, this creates an additional confidentiality risk beyond the initial generation step.

Ssd 3

Medium
Confidence
87% confidence
Finding
The tool is explicitly designed to persist session state and tell future sessions to reread it, creating a long-lived natural-language memory channel. In agent/operator environments, that can unintentionally propagate confidential prompts, sensitive reasoning context, or private user material across sessions beyond the original need-to-know scope.

Ssd 3

Medium
Confidence
94% confidence
Finding
This code duplicates task context from CURRENT.md into another persistent artifact, increasing the number of locations where sensitive information resides. That duplication makes accidental disclosure, over-retention, and unintended reuse by later sessions or tools more likely.

Ssd 3

Medium
Confidence
95% confidence
Finding
The generated markdown file persistently stores operator-provided answers together with imported task context in a format intended for later consumption. Because the content is free-form and durable, users may enter credentials, internal plans, or sensitive observations that are then retained and replayed across future sessions, increasing leakage risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal