ClawHub

oh my skill, make skill easy!

Security checks across malware telemetry and agentic risk

Overview

This skill openly helps turn completed conversations into reusable skill files, but users should review what gets saved because it can preserve session details.

Install only if you are comfortable with an agent offering to turn completed conversations into persistent skills. Avoid using it on highly sensitive sessions, review the cleaned session and generated SKILL.md before relying on it, and narrow any overly broad trigger descriptions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill clearly instructs reading prior session content, invoking a masking script on transcript text, and saving generated artifacts under the user's skills directory, but it does not declare corresponding read/write permissions. This creates hidden capability expansion: operators may believe the skill is metadata-only while it can access conversation-derived content and persist files to disk.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The declared purpose is workflow capture, but the instructions add a broader transcript-processing/redaction pipeline that can ingest whole session text, transform it, and write sanitized outputs. That mismatch is dangerous because reviewers and users may not realize the skill performs secondary data handling on potentially sensitive conversation content.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill encourages proactive triggering even when the user did not request persistence, then processes full session content with only a warning and customizable masking guidance. This increases the chance that sensitive session data is captured or summarized without informed consent, especially because desensitization is optional/tunable rather than enforced and validated.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Extracting and transforming entire session transcripts is broader than necessary for saving a reusable workflow, violating data minimization principles. The broader the captured context, the more likely secrets, personal data, or unrelated project details are retained in generated skills or intermediate files.

Vague Triggers

High
Confidence
90% confidence
Finding
The trigger guidance is so broad that the skill may activate after many ordinary multi-step tasks, leading to frequent unsolicited attempts to inspect and persist workflow/session information. Broad auto-invocation increases the attack surface for inadvertent collection, overreach, and user confusion about when files will be created.

Vague Triggers

Medium
Confidence
88% confidence
Finding
Telling future generated skills to be 'pushy' about trigger phrases encourages overbroad activation logic and repeated unsolicited engagement. This compounds the persistence risk by creating descendant skills that are also more likely to trigger on vague contexts and process data outside clear user intent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs writing files into the user's skills directory as part of normal operation, but the up-front description emphasizes automation and proactive use rather than explicit disclosure of file creation. Users may not understand that invoking or accepting the workflow will persist artifacts on disk, including potentially derived content from prior sessions.

Session Persistence

Medium
Category
Rogue Agent
Content
---
name: oh-my-skill
description: Automatically generate and save a reusable skill after AI agent successfully completes a complex task involving 5 or more tool calls. Use this skill whenever a multi-step workflow has just been completed successfully — such as document creation pipelines, data transformation flows, research-and-write tasks, multi-file editing workflows, or any agentic sequence that involved planning, tool use, and structured output. Trigger this skill proactively at the end of complex task completions even if the user hasn't asked for it, offering to save the workflow as a reusable skill. Also trigger when users say things like "save this as a skill", "make this repeatable", "turn this into a skill" or "oh-my-skill".
metadata:
  openclaw:
    requires:
Confidence
95% confidence
Finding
write tasks, multi-file editing workflows, or any agentic sequence that involved planning, tool use, and structured output. Trigger this skill proactively at the end of complex task completions even i

Session Persistence

Medium
Category
Rogue Agent
Content
### Step 2: Draft the Skill

Write a `SKILL.md` with:

```
---
Confidence
91% confidence
Finding
Write a `SKILL.md` with: ``` --- name: <kebab-case-name> description: <What it does, when to trigger. Be specific and "pushy" — list all the user phrases and contexts that should trigger this skill.>

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal