ClawHub

Metaskill

Security checks across malware telemetry and agentic risk

Overview

Metaskill is a plausible learning aid, but it needs review because it can save task and error details, write into another skill's memory, and send those details to configured LLM providers.

Install only if you are comfortable with persistent learning logs and possible LLM API calls containing task descriptions, error details, and excerpts from prior learnings. Prefer the local Ollama configuration for sensitive work, avoid putting secrets into correction or success notes, review the AGENTS.md automation before enabling it, and do not use the Gemini provider for sensitive work until the API-key-in-URL implementation is corrected.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises and operationalizes access to environment variables, file reads, and network-backed LLM providers, but it does not declare permissions or boundaries for those capabilities. That creates a transparency and policy-enforcement gap: an agent may invoke the skill assuming it is low-risk while it can access secrets, local files, and external services during normal use.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script prefers a learnings file under another skill's directory (`self-improving-agent`) rather than confining its state to `metaskill`. This creates cross-skill data coupling and lets use of this skill modify or consume data outside its own expected boundary, which is dangerous because it violates least surprise and weakens isolation between skills.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The script creates directories and persists data into workspace files even though the skill is described as teaching or analysis-oriented rather than performing stateful modification. Undisclosed file-system writes are risky in agent environments because they can alter workspace state, leave behind sensitive error descriptions, and be invoked in contexts where only read-only assistance was expected.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The script sends user-supplied task descriptions and extracted content from a local learnings file to an external LLM service without any visible minimization, consent, or trust-boundary checks. Even though the skill's purpose involves learning transfer, this creates a real data exfiltration path for potentially sensitive internal notes, and the skill context makes it somewhat more plausible but not less risky.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script preferentially writes to another skill's learning log (`self-improving-agent`) based only on file existence, creating an undocumented cross-skill modification path. This can silently alter another component's state, poison its history, or create confusing trust and provenance issues when agents rely on those logs for later decisions.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The activation guidance is overly broad: phrases like 'when an error occurs' and 'before starting a complex task' can cause the skill to run in many contexts, including sensitive workflows where task details, errors, or artifacts may contain confidential data. Because the skill also performs transfer learning, persistence, and potentially network-backed processing, over-invocation materially increases data exposure and unintended side effects.

Vague Triggers

Medium
Confidence
87% confidence
Finding
Making this skill mandatory in AGENTS.md for 'any major task' and after 'complex task' completion creates a default always-on learning and logging behavior without precise scope. In practice, ambiguous mandatory wiring can force agents to process and persist sensitive task context routinely, increasing the chance of secret retention, unnecessary file writes, or external transmission via configured providers.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly writes learning data to disk, potentially into another skill's shared learning directory, but does not warn that task-derived information will be persisted. Silent persistence is risky because error reports, task descriptions, and 'what worked' summaries may include secrets, proprietary information, or personal data that remain on disk and may later be reused or exfiltrated.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script appends user-provided and LLM-derived content to disk without warning in its usage text or an affirmative consent step in the normal path. This is dangerous because error descriptions may contain secrets, tokens, internal paths, or other sensitive operational data that become silently persisted in a workspace log.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This script sends raw command-line input directly to an external LLM provider without any notice, consent flow, or indication that the supplied text may leave the local environment. If users pass sensitive error descriptions, stack traces, file paths, tokens, or proprietary details on the command line, those contents can be disclosed to a third-party service unintentionally.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This file transmits arbitrary prompt content to third-party LLM providers without any built-in disclosure, consent gate, or data-classification check. In an agent skill context, prompts may contain user secrets, internal documents, or system context, so silent external transmission can create a meaningful confidentiality and compliance risk even if the code is not malicious.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The Gemini branch sends prompt contents to an external Google endpoint and includes the API key in the request URL, but the file provides no explicit disclosure or consent mechanism. In this skill context, that increases the chance that sensitive agent inputs are sent off-box unexpectedly, making confidentiality and governance issues more likely.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This code performs a network/LLM call with both the task description and extracted file content, but there is no user-facing notice in the file and no indication of consent or confidentiality handling. That omission is dangerous because users or higher-level agents may assume local processing while sensitive operational context is actually being sent to a third-party model provider.

Missing User Warnings

Low
Confidence
85% confidence
Finding
The script appends caller-supplied text directly into a workspace markdown file without warning, confirmation, or sanitization. While this is not code execution by itself, it enables silent persistence of untrusted content, which can mislead future agents, contaminate learning logs, or be used for prompt/content injection if those files are later consumed automatically.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal