ClawHub

Agent Setup Kit

Security checks across malware telemetry and agentic risk

Overview

This skill openly reconfigures an agent, but it gives simple chat phrases the power to install skills and change persistent agent knowledge with limited safeguards.

Install only on an agent profile where you intentionally want durable behavior changes. Before setup, review the prompt and command handler, back up agent config plus SOUL.md/MEMORY.md/SKILL.md, and require explicit confirmations for each skill install and knowledge write. There is no artifact evidence of credential theft, exfiltration, or destructive behavior, but the setup is broad enough to warrant careful review.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • System Prompt LeakageDirect Leakage, Indirect Extraction, Tool-Based Exfiltration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The code invokes a shell command to install a package/skill based on user input, which grants the agent the ability to modify its runtime environment and fetch external code. Even though the regex restricts obvious shell metacharacters, this still creates a risky trust boundary: an untrusted user can trigger installation of arbitrary allowed-named skills, potentially introducing malicious code or unsafe dependencies into the agent.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly advertises an automatic setup flow that detects the agent, modifies its system prompt, enables command handling, and restarts it, but does not warn users that this changes core agent behavior and may affect security posture. In an agent-skill context, silent prompt modification and restart increase the risk of unsafe configuration changes being applied without informed consent or review.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README describes knowledge integration that adds content to persistent areas such as SOUL, MEMORY, or SKILL, but does not disclose that this may write durable state into the agent. In this context, undocumented persistent writes are risky because they can alter future behavior, store untrusted content, and make changes hard to audit or revert.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill advertises broad natural-language behaviors like skill installation, book discovery, and command handling without clear boundaries, which can cause unintended activation from ordinary user text. In an agent context, ambiguous triggers increase the chance of executing privileged actions such as installing skills or altering knowledge state based on loosely interpreted input.

Vague Triggers

Medium
Confidence
97% confidence
Finding
The system prompt defines activation rules like 'Mention a book' and generic 'yes/no' confirmations, which are too vague for a command-capable agent. This can let unrelated conversation trigger searches, integrations, or confirmations that apply to the wrong pending action, creating confusion and unsafe state changes.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger 'When user mentions a book title' is overly broad and lacks a clear intent check, so ordinary conversation can unintentionally activate the find-book workflow. In an agent with tool access and follow-on prompts for integration, this can cause unnecessary data retrieval, user confusion, and increase the chance of unintended multi-step actions.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The integration flow allows a generic reply like 'yes' to trigger writes to SOUL.md, MEMORY.md, and SKILL.md without a strong binding to the specific prior action or scoped confirmation. This creates an ambiguous activation boundary where a stray affirmation, context bleed, or prompt injection in surrounding conversation could cause unintended persistence into the knowledge base.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal