ClawHub

Custodian

Security checks across malware telemetry and agentic risk

Overview

This maintenance skill appears purpose-aligned, but it can make persistent system changes and self-update from GitHub with insufficient scoping and approval detail.

Review before installing. Only use this if you want an autonomous maintenance skill that can change files, register scheduled jobs, and update itself from GitHub. Prefer disabling automatic updates and cron registration unless you have reviewed the source, trust the update repository, and can undo the changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (7)

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The README claims there are no external dependencies, yet elsewhere describes self-updating from GitHub and a progressive web search protocol, both of which imply network access and reliance on external services. This mismatch can mislead users and reviewers about the skill's trust boundary, making it easier for unapproved outbound connectivity or supply-chain exposure to go unnoticed.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README states that initialization automatically creates directories, registers cron jobs, and copies workflow plans, but does not prominently warn that the skill modifies the host environment. Silent persistence and filesystem changes are risky because users may invoke the skill expecting analysis only, not installation-like side effects.

Missing User Warnings

High
Confidence
97% confidence
Finding
A scheduled self-update from GitHub introduces recurring remote code change without a strong warning, approval checkpoint, or integrity model described in the README. In an agent skill, unattended updates materially increase supply-chain and persistence risk because code can change after installation and execute on a timer.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases are very broad (for example, routine troubleshooting language like 'check system health' or 'fix log errors'), which increases the chance the skill is invoked unintentionally. Because this skill performs autonomous repairs, cron registration, initialization, and other state-changing actions, accidental invocation can lead to unauthorized operational changes without clear user intent.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The description presents the skill as autonomously detecting and repairing failures during quiet hours, but it does not prominently warn users that it will write files, register tasks, alter cron state, initialize skills, and perform repairs. This is dangerous because users may invoke it for passive diagnostics while the skill actually performs privileged modifications across the environment.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explicitly includes a 'custodian.update' command that pulls the latest code from GitHub, yet there is no explicit safety warning, trust model, pinning strategy, or approval gate. Pulling and updating code from a remote repository is a supply-chain risk and can introduce unreviewed or malicious changes into a privileged maintenance skill.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The description includes broad trigger phrases such as 'check system health', 'why is X failing', and 'clean up errors', which overlap with common user troubleshooting requests. Because this skill can autonomously apply fixes, initialize skills, and register background tasks, overly broad invocation criteria increase the risk of unintended activation and execution of operational changes outside the user's specific intent.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal