ClawHub

Superpowers-Openclaw

Security checks across malware telemetry and agentic risk

Overview

This skill package is a disclosed development-workflow collection, but it gives itself very broad influence and can prompt automatic setup commands that execute project code without enough user control.

Review carefully before installing. This package is not showing exfiltration or hidden malware, but it can broadly shape agent behavior and may lead the agent to run dependency installs, builds, tests, git commits, merges, pushes, and PR commands. Use it only in repositories you trust, and require explicit confirmation before package-manager commands or git operations that mutate branches or history.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • System Prompt LeakageDirect Leakage, Indirect Extraction, Tool-Based Exfiltration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill's stated purpose is worktree setup, but it also instructs the agent to run dependency installation, builds, and tests automatically. Those steps can execute untrusted project-controlled code such as npm lifecycle scripts, Python package hooks, or test code, expanding the action surface well beyond simple repository workspace creation.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The included install/build/test commands are not strictly required to create a git worktree and therefore violate least privilege for the skill's scope. In hostile or unfamiliar repositories, these commands may trigger arbitrary code execution or persistent environment changes through project scripts and dependency tooling.

Intent-Code Divergence

Low
Confidence
80% confidence
Finding
The ignore-check logic treats .worktrees and worktrees interchangeably, but the remediation says to 'Add appropriate line to .gitignore' without tying the fix to the chosen directory. If the wrong path is ignored, worktree contents may end up tracked or pollute git status, undermining the safety guarantee the skill relies on.

Natural-Language Policy Violations

Medium
Confidence
88% confidence
Finding
The skill explicitly bans all gratitude expressions in code review responses, imposing a rigid interpersonal style without user consent. While not a classic security flaw, this is a behavioral control issue that can override user-preferred communication norms, reduce transparency, and create misalignment between the agent and the user's intent in collaborative settings.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs running npm install, cargo build, poetry install, pip install, and tests without warning that these actions may execute untrusted code from the repository or its dependencies. This is especially dangerous in an agent setting because the commands are framed as routine setup, making automatic execution more likely despite substantial code-execution and environment-modification risk.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The skill is scoped to trigger at the start of essentially every conversation and explicitly requires checking for applicable skills before any response, including clarifying questions. That broad activation creates a policy-surface expansion where untrusted skill logic can systematically influence model behavior across unrelated tasks, increasing the chance of prompt-level interference or workflow hijacking.

Natural-Language Policy Violations

High
Confidence
97% confidence
Finding
The file states that SuperpowersOpen skills override default system prompt behavior where they conflict, which is a direct attempt to subordinate higher-trust baseline safeguards to repository-provided natural-language instructions. Even though it says user instructions take precedence, permitting skill text to override default system behavior can weaken core safety controls and make downstream skills more effective at bypassing intended guardrails.

Context Leakage

High
Category
Data Exfiltration
Content
```

### Layer 4: Debug Instrumentation
**Purpose:** Capture context for forensics

```typescript
async function gitInit(directory: string) {
Confidence
90% confidence
Finding
Capture context

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal