ClawHub

Skill Gee

Security checks across malware telemetry and agentic risk

Overview

This learning-log skill is mostly coherent, but it asks for unexplained install authority and can affect future agent behavior through persistent memory and hooks.

Review this before installing. Confirm the intended package/repository and do not install the unexplained gog Homebrew dependency unless the maintainer justifies it. Keep logs sanitized, avoid raw transcripts or command output, and require approval before promoting entries into AGENTS.md, CLAUDE.md, SOUL.md, TOOLS.md, MEMORY.md, or sharing anything across sessions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
79% confidence
Finding
The inter-session communication section introduces access to other sessions' history and message passing, which exceeds the stated logging purpose and could expose sensitive context across sessions if used loosely. Even though the text advises trusted environments and sanitized summaries, cross-session transcript access materially increases data exposure risk.

Context-Inappropriate Capability

High
Confidence
89% confidence
Finding
Documenting `sessions_history` and `sessions_send` as part of a learning-log workflow creates a real confidentiality risk because prior transcripts may contain secrets, credentials, proprietary code, or private user data. A skill focused on logging learnings does not need transcript-reading capability, so including it broadens the attack surface and normalizes unnecessary access to sensitive session state.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The guide's security section says the scripts 'only output text' and 'don't modify files or run commands,' but the documented hook mechanism explicitly invokes shell commands via the hook runner. This mismatch can mislead users into granting trust and enabling hooks without properly assessing execution risk, especially since the scripts run with the agent's permissions.

Vague Triggers

Medium
Confidence
94% confidence
Finding
An empty matcher on UserPromptSubmit makes the hook fire for every prompt, creating effectively always-on command execution in every session. Broad triggering increases attack surface, privacy exposure, and the chance that unreviewed hook behavior affects unrelated tasks or sensitive workflows.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The user-level configuration enables global activation across all sessions without meaningful trigger constraints, which expands the blast radius from a single project to the entire user environment. If the referenced scripts are changed, replaced, or behave unexpectedly, every session may invoke them automatically.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The Codex example also uses an empty matcher, producing an ambiguous always-on trigger for all prompts in that environment. As with the Claude configuration, this broad scope unnecessarily increases automatic command execution frequency and can propagate risky behavior into unrelated sessions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal