ClawHub

Humor

Security checks across malware telemetry and agentic risk

Overview

This humor skill is instruction-only and purpose-aligned, but it keeps local notes about user humor preferences that users should understand before installing.

Install only if you are comfortable with the agent keeping a local humor-preference profile under ~/humor/. Review or delete that directory to reset saved interaction history, callbacks, and inferred preferences.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The skill’s scope is broad and self-directed: it says to 'develop adaptive humor' and 'build profile' without clearly constraining when the skill should activate, when it should stop, or requiring explicit user opt-in. In an agent setting, ambiguous activation can cause unwanted behavioral steering across unrelated conversations, increasing the chance of inappropriate responses, privacy-invasive profiling, and persistence beyond user expectations.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill directs the agent to create and maintain files under '~/humor/' containing per-user interaction history, callbacks, and 'wins' without notice, consent, retention safeguards, or data minimization. This creates a privacy and security risk because behavioral data about a user’s reactions and preferences may be retained locally, reused across sessions, or exposed to other processes/users on the system.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly instructs the system to save user-specific behavioral patterns to a profile based on inferred amusement signals, but provides no warning, consent flow, retention limit, or privacy boundary. This creates a real privacy risk because it normalizes covert collection and persistence of behavioral preference data, which can be used for profiling, manipulation, or unintended secondary use if stored across sessions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal