ClawHub

Self Improvement

Security checks across malware telemetry and agentic risk

Overview

The skill is not overtly malicious, but it asks agents to persist and share broad conversation learnings with weak privacy boundaries and optional always-on hooks.

Install only if you are comfortable with agents creating durable memory files and optional hooks. Before enabling it, restrict hooks to a project or explicit matcher, avoid global every-prompt activation, and instruct the agent to store only sanitized summaries. Do not log secrets, tokens, personal data, customer data, proprietary code snippets, or raw transcripts into .learnings, AGENTS.md, SOUL.md, TOOLS.md, MEMORY.md, or cross-session messages.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The document's security section states that the scripts 'only output text' and 'don't modify files or run commands,' but the hook configuration explicitly executes shell commands via the hook system. This kind of misleading assurance can cause operators to under-trust-review hooked scripts that execute automatically in response to prompts or tool use, increasing the chance of unsafe deployment.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The automatic triggers rely on very generic phrases like corrections or requests for capability, which can cause the agent to persist ordinary user statements without meaningful consent or sensitivity review. In a skill whose purpose is durable logging, overly broad triggers materially increase the chance of retaining private or unnecessary conversational content.

Vague Triggers

Medium
Confidence
88% confidence
Finding
Using an empty matcher causes the activator hook to run for every submitted prompt, creating an always-on trigger with no scope restriction. Because the hook executes a local command automatically, broad activation increases attack surface, prompt-context pollution, and the likelihood that unreviewed automation runs in sensitive workflows.

Vague Triggers

High
Confidence
95% confidence
Finding
The user-level configuration installs an always-on hook globally across sessions by combining a home-directory path with an empty matcher. This makes the behavior persistent and ubiquitous, so any compromise or unexpected behavior in the referenced script affects all future prompts and projects, amplifying risk beyond a single repository.

Vague Triggers

Medium
Confidence
87% confidence
Finding
Although presented as 'minimal,' this setup still enables automatic command execution on every prompt because the matcher is empty. Reduced overhead does not reduce security exposure when the trigger remains unconditional, and users may incorrectly infer that 'minimal' also means low-risk.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The Codex CLI example repeats the same overbroad configuration pattern, causing a shell command to run on every prompt without clear boundaries. Reproducing insecure defaults across multiple agent platforms increases the chance that users deploy broad automatic hooks in environments handling sensitive code or data.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document encourages persisting learnings, errors, and corrections into workspace and shared files but does not warn against storing secrets, personal data, access tokens, prompts, or sensitive user context. In a multi-session, workspace-injected system, those records can later be surfaced to other sessions or users, turning routine troubleshooting notes into unintended data exposure.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The cross-session features are presented as normal workflow primitives without any warning that transcripts and sent messages may contain sensitive prompts, credentials, proprietary code, or personal data. Because these mechanisms explicitly move context across session boundaries, missing confidentiality guidance materially increases the risk of accidental disclosure.

Ssd 3

Medium
Confidence
89% confidence
Finding
The skill encourages persistent storage of learnings and promotion into broader memory/context files, but does not define safeguards for data minimization, consent, retention, or redaction. That creates a realistic path for user-provided content to be stored long-term and resurfaced later in ways the user did not intend.

Ssd 3

High
Confidence
95% confidence
Finding
Presenting transcript-reading and cross-session message-sharing as a normal way to propagate learnings creates a direct semantic channel for leakage between sessions. Even if intended for productivity, this expands the blast radius of any sensitive content captured in one session and can expose unrelated users, tasks, or contexts.

Ssd 3

High
Confidence
97% confidence
Finding
The logging templates explicitly request full context, inputs, parameters, and user context, which strongly encourages copying potentially sensitive data into persistent markdown files. Because these logs may be retained, shared, or promoted, the template design itself increases the likelihood of durable exposure of secrets, personal information, or confidential business data.

Ssd 3

Medium
Confidence
91% confidence
Finding
The detection guidance tells the agent to log user corrections and new information the user provides, which normalizes retaining conversational content simply because it was informative. In combination with persistent storage, this creates a privacy risk by encouraging broad memory capture rather than targeted, consented technical notes.

Session Persistence

Medium
Category
Rogue Agent
Content
### Option 1: Project-Level Configuration

Create `.claude/settings.json` in your project root:

```json
{
Confidence
86% confidence
Finding
Create `.claude/settings.json` in your project root: ```json { "hooks": { "UserPromptSubmit": [ { "matcher": "", "hooks": [ { "type": "command",

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal