ClawHub
Back to skill

Security audit

Timezone

Security checks across malware telemetry and agentic risk

Overview

This timezone skill appears purpose-related and not destructive, but it should be reviewed because setup can automatically change persistent agent instruction files.

Install only if you are comfortable with a timezone utility modifying AGENTS.md and steering future agent behavior. Before running setup, confirm the timezone, inspect the added “Timezone Standing Order” block, and remove that block if you uninstall or no longer want persistent timezone enforcement. No credential theft, network exfiltration, destructive action, or malware-like behavior was found in the inspected artifacts; the Review verdict is about persistence and user-control concerns.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script goes beyond local timezone configuration and rewrites repository-wide `AGENTS.md` instructions, which can silently alter agent behavior for the whole project. In a skill ecosystem, modifying global instruction files is risky because it broadens scope and creates a persistence mechanism that can influence future agent actions beyond the user's immediate intent.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The code patches `AGENTS.md` unconditionally in the `--set` path because of `if args.patch_agents or True`, which overrides the CLI contract and causes side effects the user did not request. Misleading interfaces are dangerous in setup tooling because they can be used to smuggle persistent instruction changes under the guise of a harmless configuration update.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger list includes broad phrases like 'UTC', 'local time', and 'any heartbeat where time accuracy matters,' which can cause the skill to activate during ordinary conversation or background processing. Over-broad activation increases the chance of unexpected shell execution, file writes, or policy patching in contexts where the user did not intend to invoke the skill.

Natural-Language Policy Violations

Medium
Confidence
81% confidence
Finding
The standing rules are written to be patched into AGENTS.md, permanently forcing future time output into one timezone without an explicit user-choice mechanism. Because this alters the agent's persistent operating instructions, it can override future user preferences and create hidden behavioral drift beyond the immediate request.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The metadata explicitly says the skill will "patch AGENTS.md with standing time rules," but it does not clearly warn users that installing or running the skill may modify project instruction files. Silent or poorly disclosed modification of agent-control files is dangerous because it can permanently alter agent behavior, create hard-to-trace prompt injection persistence, and exceed what a user expects from a timezone utility.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
In the non-interactive `--set` path, the script writes to `AGENTS.md` without a prior warning or confirmation, creating an unexpected persistent change to agent instructions. In agent tooling, undisclosed writes to shared instruction files are especially risky because they can affect future automated decisions and are easy for users to miss.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Auto-detect mode performs both configuration writes and `AGENTS.md` patching without advance disclosure, despite sounding like a read-only detection action. This discrepancy increases risk because users or automation may invoke `--detect` expecting observation only, but instead receive persistent repository-wide instruction changes.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.