ClawHub

Self-Improving Engineering

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed engineering-learning logger with optional reminder hooks, but users should review any promotion into agent instruction files before enabling it broadly.

Install only if you want a local engineering-learning workflow. Keep hooks project-scoped, avoid the global empty matcher unless you intentionally want reminders on every prompt, and review diffs before adding anything to `AGENTS.md`, `CLAUDE.md`, `SOUL.md`, `TOOLS.md`, ADRs, or Copilot instructions. Redact secrets and sensitive operational details before logging or committing `.learnings/` files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The skill says it captures engineering learnings, but also instructs promoting content into ADRs and broader agent/workspace guidance files. That expands its write scope from a local log store into project memory and agent-instruction surfaces, which can persist and amplify mistaken, sensitive, or adversarial content.

Description-Behavior Mismatch

Medium
Confidence
80% confidence
Finding
Including reusable-skill extraction and repository scaffolding goes beyond passive engineering-note capture and turns the skill into a content generator that can create new executable/prompt artifacts on disk. In an adversarial or low-trust environment, this increases the chance of propagating flawed or prompt-injection-laden guidance into new skills.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill directs edits to high-influence instruction files like `CLAUDE.md`, `AGENTS.md`, `.github/copilot-instructions.md`, `SOUL.md`, and `TOOLS.md`. Those files shape future agent behavior, so writing derived learnings into them can become a prompt-persistence channel that outlives the original session and affects later tasks in ways users may not expect.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs creating and appending to project/workspace files without a clear user-facing warning at the point of action. Silent or assumed writes are risky because they can modify repositories, create persistent artifacts, or capture sensitive operational details even when the user only expected analysis or advice.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The automatic detection triggers are broad enough to match routine engineering discussion, failures, reviews, and alerts, which can cause over-invocation and unnecessary logging or reminder injection. In practice, broad triggers increase accidental persistence and make it easier for unrelated content to be swept into learning logs or workflow prompts.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The example config uses an empty matcher for a UserPromptSubmit hook, which causes the hook to fire on every prompt without task scoping. In this skill, that broad trigger increases the chance of unnecessary context injection, prompt pollution, and accidental exposure of sensitive prompt content to hook scripts if users enable it indiscriminately.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The user-level configuration installs the hook globally and still uses an empty matcher, broadening activation across all projects and sessions. This makes the behavior persistent and harder for users to reason about, increasing the risk of cross-project prompt interception and over-collection beyond the engineering-improvement use case.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The Codex example repeats the same broad pattern by leaving matcher empty, so the hook would activate on every prompt in that tool as well. Because this is documentation users may copy verbatim, it operationalizes overly broad interception as a default pattern and expands the blast radius of any hook-side logging or prompt-derived behavior.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal