ClawHub

sharpinput

Security checks across malware telemetry and agentic risk

Overview

SharpInput is a prompt-improvement skill, but it saves and silently reuses detailed preference history while requesting broader file and command powers than it clearly needs.

Review before installing. Clear the included user-preferences files, require opt-in before any self-learning writes, disable silent autofill unless values are confirmed each time, and remove Bash or constrain Write to the preference JSON only. Treat this as a Review item, not proven malware: no executable payload, dependency issue, exfiltration path, or destructive install behavior was found.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (20)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill claims it should not be used for file operations, yet it declares Read/Write/Glob/Bash and instructs the agent to traverse package files. That mismatch can cause the skill to be invoked in contexts where users expect prompt-only assistance, while still granting filesystem and shell access, expanding the attack surface and enabling unintended file access or modification.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Write access is not justified by the skill's stated purpose of rewriting or sharpening user inputs. Unnecessary write permission can let the skill alter local files, prompts, references, or test assets if manipulated, turning a low-risk editing assistant into one capable of persistence or content tampering.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Write access is not justified by the skill's stated purpose of rewriting or sharpening user inputs. Unnecessary write permission can let the skill alter local files, prompts, references, or test assets if manipulated, turning a low-risk editing assistant into one capable of persistence or content tampering.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The file explicitly instructs the main agent to invoke a separate general-purpose subagent for 'independent review,' which expands the skill from input/prompt sharpening into autonomous multi-agent execution. That increases attack surface, introduces an additional model invocation that processes user-derived content, and can bypass the skill's stated scope and safety assumptions if the subagent is less constrained or differently configured.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The document explicitly instructs the skill to persist user preference and interaction-history data across sessions in a file outside transient prompt state. For a prompt-sharpening skill, this creates unnecessary long-lived profiling and retention risk, especially because the data is reused automatically on later invocations rather than being limited to the current session.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The schema includes rich contextual profile fields such as role, tech stack, budget, team size, domain, and constraints, which go beyond what is needed to rewrite or clarify prompts. Storing this broader profile increases privacy exposure and creates a more detailed user model that could be misused or leaked if the file is accessed by other skills or operators.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Outcome tracking with inferred sentiment scores and behavioral analytics extends the system from prompt improvement into user-performance monitoring. This broadens surveillance of user behavior without clear necessity for the skill's stated function and may generate inaccurate or sensitive inferences that persist over time.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
Automatically replacing placeholders in current output using prior-session stored values can silently alter user content based on historical data. This risks injecting stale, incorrect, or privacy-sensitive information into prompts or messages the user may send onward without realizing it.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The file stores detailed cross-session history and derived summaries about the user, including role, budget, domain, constraints, strategy preferences, and behavioral patterns that go well beyond what is necessary to sharpen a single prompt. This creates unnecessary profiling and retention risk: if exposed or reused broadly, it can influence future outputs, leak sensitive context, or enable inference about the user's habits and decision-making.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The summary block aggregates prior sessions into reusable behavioral signals such as preferred angles, intent history, strategy feedback, and autofilled context. That enables cross-session profiling unrelated to the narrow task of prompt optimization, increasing the chance of hidden personalization, privacy harm, and unintended secondary use of user data.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The file describes a persistent self-learning profile that stores cross-session behavioral preferences and prior interaction summaries, which exceeds what is necessary for a prompt/input sharpening skill. This creates unnecessary profiling and retention risk, especially because the stored data can reveal user habits, work context, budget constraints, and decision tendencies over time.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The file stores detailed cross-session personal profile data and decision history unrelated to the skill's stated purpose of improving prompts. This unjustified persistence increases privacy exposure and enables behavioral profiling, which could be misused for manipulation, deanonymization, or leakage of sensitive work and purchasing context.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The statement that the file is auto-maintained by a self-learning system indicates behavior outside the declared scope of a prompt-improvement tool. This mismatch is dangerous because users and reviewers may not expect persistent memory or adaptive profiling, undermining informed consent and masking broader data handling than the manifest suggests.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The trigger criteria include broad wording such as discussion about prompt/question quality, which can overlap with normal conversation. Overbroad activation is dangerous here because the skill carries excessive tools; even if the trigger issue alone is mild, it increases the chance that a more privileged-than-necessary skill is selected in unrelated contexts.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The document explicitly mandates a Chinese default phrase ("默认答案压力测试") without conditioning it on the user's language or locale. In a prompt-optimization skill, this can silently alter user intent, degrade usability, and cause downstream prompts to be generated in the wrong language, which is especially risky because the skill is supposed to preserve and improve the user's original input rather than impose formatting or language defaults.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The design describes persistent storage, migration, and deletion mechanics, but there is no clear user-facing warning or consent flow explaining that data will be saved and reused. Hidden persistence undermines user expectations and can cause unauthorized retention of interaction metadata and profile information.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The instructions say stored preferences should be applied silently before intent recognition, meaning personalization occurs without fresh disclosure at runtime. Silent automated personalization is risky because it can bias system behavior and use prior data in ways the user does not expect or remember consenting to.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The trigger list uses subjective conditions such as "high-risk decision," "likely intent drift," and "multi-path prompt" without clear definitions or thresholds. That ambiguity can cause inconsistent invocation of the review skill, leading to unnecessary escalation, missed reviews, or uneven safety/quality checks across similar requests.

Natural-Language Policy Violations

Medium
Confidence
90% confidence
Finding
The skill hard-codes a Chinese output template and instructs the renderer to keep that structure, which can force a locale/language choice without explicit user opt-in. In a prompt-improvement skill, this can degrade usability, cause unintended language switching, and create downstream errors if the user or consuming system expects another language.

Ssd 3

Medium
Confidence
96% confidence
Finding
The skill stores contextual details and may automatically reuse them in future outputs without obtaining fresh confirmation from the user. Reuse of prior context in generated content can expose sensitive details, propagate stale data, and cause unintended disclosure when the output is sent to another AI or person.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal