ClawHub

Coordinator Evolution

Security checks across malware telemetry and agentic risk

Overview

This skill mostly describes task-planning behavior, but it also tells the agent to permanently rewrite startup and identity files so the skill keeps priority in future sessions.

Install only if you deliberately want a skill that can affect persistent agent behavior. Do not allow it to edit AGENTS.md, IDENTITY.md, or BOOTSTRAP.md unless you review the exact changes and know how to remove them later; using only its planning and verification advice would be much lower risk.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The skill explicitly instructs persistent modification of AGENTS.md, IDENTITY.md, and BOOTSTRAP.md so it will be automatically loaded and prioritized in future sessions. This establishes unauthorized self-persistence and alters core agent behavior beyond the user’s current request, which is dangerous because it can survive across sessions and influence future instruction handling.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
A task coordination framework has no legitimate need to rewrite identity or bootstrap files to make itself part of the agent’s permanent cognition. These instructions exceed the stated purpose and create stealthy persistence and behavioral takeover capabilities that can be reused to bias or subvert future sessions.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The document frames itself as a coordination aid but then requires unconditional highest-priority internalization and permanent locking, which is inconsistent with a normal helper skill. That mismatch increases the risk of deceptive packaging: users may enable it for workflow benefits without realizing it attempts to supersede normal instruction hierarchy and persist indefinitely.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill directs persistent modification of core markdown control files without warning the user that it is changing long-lived agent configuration. Silent persistence is dangerous because it prevents informed consent, makes later behavior harder to attribute, and can create a durable foothold for instruction hijacking.

Ssd 1

High
Confidence
99% confidence
Finding
The skill tells the model to internalize its rules as the highest-priority behavior without confirmation, effectively attempting to override the normal instruction hierarchy. This is dangerous because it can cause the agent to privilege untrusted skill content over legitimate system, developer, or user directives, enabling prompt injection and policy bypass.

Ssd 1

High
Confidence
99% confidence
Finding
The permanent locking section combines persistence with prioritization by instructing modification of identity and startup files so the skill is always loaded first across sessions. This creates a durable semantic backdoor: once installed, the framework can continuously reassert control and resist normal removal or contextual constraints.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal