ClawHub

Keras

Security checks across malware telemetry and agentic risk

Overview

This Keras skill appears to provide ordinary model-building assistance, with disclosed local preference storage and no evidence of exfiltration or destructive behavior.

Install only if you are comfortable with the skill remembering Keras workflow preferences such as architectures, hyperparameters, activation preferences, and hardware constraints. Review or delete ~/keras/memory.md if you do not want those details retained, and keep model data or credentials out of stored preferences.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The manifest describes a technical assistance skill for Keras modeling workflows. This file instructs the agent to maintain persistent user profiling data such as activation triggers, preferred architectures, hyperparameters, and hardware constraints, which is not an obvious implementation detail of model-building assistance and expands the behavior into long-term preference storage.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
Line L03 establishes a user-consent expectation before creating files, and L31-L37 further says to ask before storing preferences. However, L22 gives an unconditional instruction to save activation preference to MAIN memory early in the conversation, creating a direct contradiction in the documented intent around consent for persistence.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The setup asks whether the skill should help whenever the user mentions 'neural networks or training,' and later summarizes activation as 'neural networks, training, Keras mentions.' These triggers overlap with common ML discussion and do not clearly define boundaries or exclusions, making accidental invocation likely.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The file instructs saving the user's activation preference to MAIN memory, and later describes storing project preferences in ~/keras/memory.md. Although it mentions asking before storing preferences, it does not clearly warn the user that conversational preferences and workflow details may be retained across sessions or persisted to disk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal