ClawHub

Skill Combinator — Emergent Capabilities Engine

Security checks across malware telemetry and agentic risk

Overview

This skill is transparent about its purpose, but it deserves Review because it broadly coordinates other skills, writes persistent agent memory, and sends recurring Telegram reports.

Install only if you want a meta-skill that can coordinate other installed skills and maintain persistent operational memory. Before enabling the cron job, define explicit approval rules for trades, deployments, public posts, account changes, and other irreversible actions; review COMBINATIONS.md and .learnings regularly; and keep Telegram reports limited to non-sensitive summaries.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill states it will 'automatically' activate on broadly defined situations like complex missions or whenever multiple skills could interact, without clear guardrails, user confirmation, or narrow activation criteria. In a meta-skill that influences planning across other installed skills, this can cause unintended invocation, privilege expansion through skill chaining, and unpredictable behavior on sensitive tasks.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The activation trigger is effectively unbounded: 'any complex mission' can cause the meta-skill to enumerate installed skills and influence execution planning across many unrelated tasks. In a meta-skill whose purpose is to compose other capabilities, broad automatic activation increases the chance of unintended skill invocation, privilege creep, and unsafe cross-domain behavior, especially when paired with autonomous weekly operation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README instructs the agent to send weekly reports via Telegram and requires a bot token, but it does not disclose what information may leave the local environment or warn about privacy, retention, and third-party exposure. Because this skill aggregates discovered combinations, learning logs, and skill gaps over time, reports could leak sensitive operational details, internal capabilities, or data-derived insights to an external messaging service.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill instructs the agent to run on broadly defined conditions like 'any complex task', 'new project', or whenever multiple skills could interact, which can cause frequent and unintended invocation. Because this is a meta-skill that inventories installed skills, reads multiple workspace files, writes persistent logs, and may influence execution planning, over-triggering increases attack surface and can lead to unnecessary data access, noisy state changes, and autonomy creep.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The cron prompt explicitly authorizes writing to workspace files such as COMBINATIONS.md, .learnings/LEARNINGS.md, and memory logs without any user-facing warning or approval boundary. In an autonomous scheduled context, this can lead to silent modification of project state, accidental corruption of records, or persistence of bad data if the skill is triggered with incorrect assumptions or adversarial inputs.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill directs the agent to send reports using credentials from environment variables, but it does not include a strong privacy warning or outbound data minimization guard beyond a generic 'do not output credentials' note. In a scheduled autonomous workflow, this increases the risk of unintended exfiltration of sensitive workspace-derived information to external channels if report contents are overbroad or the notification target is misconfigured.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal