ClawHub

auto-research-proposal

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent research-debate helper, but it automatically launches a local monitor process and persistently records detailed session data without enough user control.

Install only if you are comfortable with a local terminal monitor and persistent project memory files. Before running it, ask the agent to confirm before starting the monitor, avoid putting secrets or sensitive unpublished material in the discussion, verify the monitor path resolves to this reviewed package, and delete memory/war-room, memory/.private, checkpoints, and results copies when no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill instructs launching OS-specific shell commands in a new terminal using interpolated paths such as <repo_root> and <project_path>. If those values are not safely quoted or validated, this creates command-injection risk and causes unexpected subprocess execution outside the core debate/proposal function.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Providing ready-to-run shell commands that open terminals and execute a Python monitor without a warning encourages silent subprocess execution and hides side effects from the operator. In an agentic skill, this is dangerous because the user may not realize new processes are being created, what files are being accessed, or how long the monitor will persist.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The monitor reads and displays persona drift information from the hidden memory directory (`memory/.private`) directly in the TUI. Even though it only surfaces a yes/no drift flag rather than full memo contents, it still exposes data derived from private agent memory without any warning, consent gate, or access control, which can leak sensitive internal state to anyone viewing the terminal or session output. In this skill context, the monitor is spawned automatically at session start, which increases exposure because users may not realize private state is being surfaced live.

Ssd 3

Medium
Confidence
96% confidence
Finding
The skill stores detailed private persona memos and discussion content, then copies session artifacts into broadly accessible results output. This can expose sensitive user inputs, internal reasoning traces, and private drift/state annotations beyond their original context, especially because memory/.private is explicitly used during the session and the monitor reads it in real time.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal