ClawHub

Self-Improving Legal

Security checks across malware telemetry and agentic risk

Overview

This legal logging skill is not malware, but it needs review because its optional hooks can run on every prompt and its persistent notes can influence future agent behavior.

Install only for legal-focused workspaces where persistent legal memory is desired. Prefer project-local setup, replace empty hook matchers with legal-specific triggers, avoid global/user-level activation, keep .learnings out of source control unless reviewed, and require human approval before promoting entries into agent instruction files or generated skills.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (12)

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The stackable-mode ownership rules say the skill should write only to `.learnings/legal/`, but earlier sections instruct writes to shared `.learnings/` files and even promotion into workspace files like `AGENTS.md`, `TOOLS.md`, and `SOUL.md`. Conflicting write scopes increase the chance of unintended cross-skill modification, data mixing, or broader persistence than users expect.

Vague Triggers

Medium
Confidence
95% confidence
Finding
Using an empty matcher for `UserPromptSubmit` causes the hook to run on every prompt, regardless of whether the interaction is legal-related. Overly broad automatic activation increases prompt-surface exposure, can inject unnecessary instructions into unrelated tasks, and makes it easier for the skill to influence sessions beyond its intended domain.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The advanced hook setup repeats the same empty `UserPromptSubmit` matcher, preserving unconditional activation even in a more powerful configuration that also chains post-tool inspection. This broadens the monitoring footprint and raises the risk of irrelevant session influence or accidental capture of sensitive non-legal context.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The template tells authors to include trigger conditions but does not require concrete inclusion and exclusion criteria, which can lead to overly broad skill activation. In an agent setting, vague triggers increase the chance the skill is invoked in unintended legal contexts, causing inappropriate guidance, scope creep, or disclosure of sensitive legal workflow information.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The minimal template allows a skill to be defined without precise trigger constraints, making it easy to publish ambiguous legal skills that activate too broadly. Because this repository is for legal operations, misuse can lead to inappropriate compliance or contract actions in the wrong matter, jurisdiction, or escalation path.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The script-enabled template encourages automation helpers but does not require narrowly scoped conditions for when those scripts should run. In legal and compliance workflows, broad or mistimed invocation of automation can trigger incorrect audits, clause extraction, or compliance checks against the wrong target, producing misleading outputs and potential confidentiality exposure.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The empty matcher config causes the hook to fire on every prompt, creating an always-on command execution path for the agent session. Even if the referenced script is intended to be harmless, broad trigger scope increases exposure to prompt-derived sensitive data, unintended context injection, and future misuse if the script changes.

Vague Triggers

Medium
Confidence
97% confidence
Finding
The user-level example enables global activation across all sessions and repositories, which materially broadens the blast radius if the script is buggy, replaced, or abused. A globally installed hook can silently affect unrelated workspaces and may expose sensitive prompts from non-legal tasks to a skill that was only intended for limited use.

Vague Triggers

Medium
Confidence
94% confidence
Finding
Although presented as lower overhead, the minimal setup still uses a catch-all matcher, so it preserves the core risk of indiscriminate execution on every prompt. This can normalize unnecessary hook invocation and increase the chance that unrelated or sensitive session content is processed by the legal skill.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The Codex example copies the same empty matcher pattern into another agent environment, extending the unsafe behavior across tooling ecosystems. Recommending unrestricted hooks without scope limits or exclusions increases the probability of accidental data exposure and makes misuse easier to operationalize.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document instructs users to send legal findings across sessions and only conditions this on a 'trusted environment' and explicit need, but it does not require a strong user warning, consent gate, or technical safeguards before transmission. In a legal context, even concise summaries can disclose privileged, confidential, or regulated matter information to unintended recipients or differently scoped sessions, making cross-session propagation materially risky.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The script reads `CLAUDE_TOOL_OUTPUT` and scans it for legal-sensitive terms without any user-facing disclosure or consent mechanism. In this skill context, tool output may contain confidential contract text, compliance details, litigation references, or privileged material, so silently inspecting it creates a privacy and data-governance risk even though the script does not exfiltrate data directly.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal