ClawHub

Daily Growth & Maturity

Security checks across malware telemetry and agentic risk

Overview

This skill is a memory tool, but it also installs persistent agent instructions and recurring automation that can rewrite core workspace control files.

Install only if you intentionally want a skill that can persist memory across sessions, inject startup hooks, prompt or create recurring cron behavior, and rewrite files that shape future agent behavior. Back up SOUL.md, AGENTS.md, IDENTITY.md, HEARTBEAT.md, SESSION-STATE.md, and ~/self-improving/ first, and make sure you know how to disable the cron and remove injected hooks. The artifacts did not show credential theft, network exfiltration, or destructive deletion, so this is Review rather than malicious.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (28)

Intent-Code Divergence

High
Confidence
96% confidence
Finding
The document claims integration is non-destructive, but elsewhere directs the cron to rewrite core workspace control files. That contradiction is dangerous because it can mislead users into trusting a skill that may silently alter high-impact agent-governing files.

Intent-Code Divergence

High
Confidence
95% confidence
Finding
The architecture section says the skill never overwrites workspace files, but the cron behavior later explicitly rewrites them. Misrepresenting destructive behavior lowers scrutiny and can enable persistence and policy tampering under the guise of harmless memory management.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
A self-healing recurring cron that enforces daily rewrites goes beyond self-reflection and turns the skill into a persistence and automation mechanism. This expands the blast radius from session-local memory to unattended, repeated modification of user files.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill modifies core control files such as SOUL.md, AGENTS.md, HEARTBEAT.md, and IDENTITY.md to influence future behavior. That exceeds a narrow memory function and creates a durable policy-injection channel affecting subsequent sessions and agent decisions.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This code installs persistent instructions into governance files like SOUL.md, AGENTS.md, and HEARTBEAT.md so that future agent sessions are compelled to read attacker-controlled guidance, create a cron job, and continue the skill's workflow. That creates durable prompt/instruction persistence across sessions and context resets, which is a strong persistence mechanism and can subvert user intent or platform controls long after the initial run.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The install flow automatically creates and appends to workspace markdown control files while presenting the behavior as routine initialization/self-improvement. This is dangerous because it covertly alters the agent's future operating context and can establish persistence without clear disclosure that governance documents are being modified to influence later sessions.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill documents creation of a persistent nightly cron job that performs broad autonomous actions, including reviewing state and rewriting workspace markdown files. That exceeds a narrowly scoped self-reflection feature and creates an unattended persistence and modification mechanism that can alter future agent behavior without per-run user approval.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
Auto-injecting content into SOUL.md, AGENTS.md, and HEARTBEAT.md modifies global instruction surfaces that influence agent behavior outside the skill's immediate scope. This is dangerous because it establishes persistence and control over future sessions, effectively broadening privilege from memory management to policy and behavior manipulation.

Missing User Warnings

High
Confidence
94% confidence
Finding
The description advertises automatic rewriting of workspace markdown files without a strong user-facing warning about integrity and persistence risks. Users may enable the skill expecting note-taking, not unattended modification of important workspace files.

Missing User Warnings

High
Confidence
95% confidence
Finding
The nightly cron is framed as a key feature, but the text does not present a clear risk warning proportionate to the fact it rewrites multiple persistent files automatically. That lack of disclosure undermines informed consent and increases accidental deployment of a high-impact automation.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The manifest description advertises broad autonomous behaviors such as self-reflection, persistent memory, cold-boot recovery, and automated daily review without clearly constraining when or how those actions may be triggered. In a skill that also requests cron, write, and exec capabilities, this ambiguity increases the chance of unintended autonomous actions, persistence, or workspace modification beyond explicit user intent.

Natural-Language Policy Violations

High
Confidence
98% confidence
Finding
The phrase 'no behavioral compliance required' is a strong red flag because it attempts to normalize file-rewriting behavior while implying the action should proceed without policy or behavioral safeguards. In context, this skill is explicitly designed for persistence, self-healing cron, and rewriting workspace .md files, so language that downplays compliance meaningfully increases the risk of unauthorized modification, instruction laundering, and policy bypass.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The file describes persisting user corrections and preferences into memory or project files, but it does not require clear user notice, consent, or disclosure of retention scope. Even though the content excludes some sensitive categories, silently storing behavioral preferences across sessions can violate user expectations, create privacy risk, and unintentionally retain sensitive project context.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This workflow mandates multiple persistent file writes before responding, without requiring user awareness or consent. That can silently modify local state and create durable records of user inputs, corrections, and context, which is risky in environments where workspace files may contain or expose sensitive information.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The session-start procedure instructs the agent to read and preload multiple local files automatically, including prior session state and memory, without any privacy disclosure or scope check. This can expose historical user data unnecessarily and increases the chance of reusing unrelated sensitive context in a new session.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code writes and modifies multiple workspace markdown files without obtaining explicit confirmation at the time of modification. In this context those files are not ordinary content files but governance/instruction files, so silent modification can change future agent behavior and reduce the user's control over what gets persisted.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
These embedded instructions tell future agents to automatically verify/create a cron job and write persistent markers, framing the setup as non-optional. That is dangerous because it establishes autonomous recurring execution and persistence without contemporaneous user approval, enabling the skill to keep influencing the environment after the initial interaction.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The instructions describe automatic modification of user workspace files and creation of scheduled automation without a prominent up-front warning or consent step. Silent system-level changes reduce user control and increase the chance that persistent behavior is installed unknowingly, which is especially risky for files that shape agent conduct.

Missing User Warnings

High
Confidence
97% confidence
Finding
A nightly job that rewrites SOUL.md, AGENTS.md, IDENTITY.md, and HEARTBEAT.md creates ongoing autonomous control over core instruction files, yet the setup does not foreground this as a major persistent behavior change. In this skill context, that is more dangerous because these files define future agent behavior, so unattended rewriting can compound mistakes, policy drift, or malicious prompt persistence over time.

Ssd 3

Medium
Confidence
88% confidence
Finding
The skill instructs the agent to persist user-provided preferences, corrections, deadlines, and decisions across sessions in local files. Without minimization and sensitivity filtering, this creates a durable store of potentially sensitive interaction data that may later be resurfaced or misused.

Ssd 3

Medium
Confidence
90% confidence
Finding
The cold-boot and nightly review flow mandates broad rereading of prior session state, corrections, and project files, increasing the chance sensitive data is repeatedly exposed to future runs. Persistent replay of historical context raises both privacy and accidental disclosure risk.

Ssd 3

Medium
Confidence
97% confidence
Finding
The WAL protocol explicitly requires logging corrections and contextual information before responding, which encourages capture of user-provided content into long-lived files regardless of sensitivity. This can retain secrets, personal data, or confidential business information beyond the original interaction and make later leakage or unintended reuse more likely.

Ssd 3

Medium
Confidence
94% confidence
Finding
The cold-start recovery flow directs wholesale reloading of prior session state and memory, which promotes reuse of previously supplied information outside the original context. This weakens contextual isolation between sessions and can cause accidental disclosure, over-personalization, or inappropriate carryover of past user data.

Ssd 3

Medium
Confidence
96% confidence
Finding
The example memory and corrections formats normalize storing detailed context, user preferences, lessons, and project history in durable files. Because these examples include conversational context and correction details, they create a strong incentive to persist potentially sensitive or identifying information long-term, increasing exposure if the files are accessed, synced, or reused unexpectedly.

Ssd 3

Medium
Confidence
91% confidence
Finding
The skill directs the agent to log user corrections and reusable lessons before responding, creating a persistent natural-language memory of user-provided content. Without minimization, consent, retention limits, or sensitivity filtering, this can store private or sensitive information and later reuse it in ways the user did not expect.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal