ClawHub

Self-Improving Robotics

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-aligned, but it can create persistent learning files, alter future agent behavior documents, and enable broad automatic hooks, so it should be reviewed before installation.

Install only if you want persistent robotics learning logs and agent reminders. Prefer project-level setup, avoid global hooks, replace empty matchers with robotics-specific patterns, and require human review before writing to SOUL.md, AGENTS.md, TOOLS.md, or installing any extracted skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
The skill claims to log learnings to markdown files, but it also directs promotion into broader operational artifacts like SOUL.md, AGENTS.md, and TOOLS.md. That expands its effective write scope from isolated logs into high-influence prompt and behavior documents, which can persistently alter future agent actions.

Context-Inappropriate Capability

Medium
Confidence
81% confidence
Finding
The reusable skill extraction workflow goes beyond incident capture and into generating new automation artifacts from prior entries. This increases risk because unreviewed learnings can be transformed into reusable skills, amplifying mistakes or malicious content across projects and sessions.

Intent-Code Divergence

Medium
Confidence
78% confidence
Finding
The skill gives conflicting storage and ownership rules: earlier sections instruct writes to flat .learnings files and even broader core docs, while the stackable contract says it only writes to .learnings/robotics/ in stackable mode. Ambiguous write scope is dangerous because agents may choose broader modification targets than intended, increasing unintended persistence and cross-skill interference.

Missing User Warnings

Low
Confidence
76% confidence
Finding
The initialization instructions create workspace files automatically without a prominent warning that user data will be modified. While limited in scope, silent filesystem changes can still surprise users, pollute repositories, or be misused by an agent to establish persistence.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The hook configuration enables automatic command execution on every prompt and after Bash tool use, but the warning is understated relative to the risk. Persistent, event-driven command execution materially changes the trust model and can be exploited to monitor prompts, inspect outputs, or trigger repeated actions without fresh consent.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The empty matcher makes the hook fire on every prompt, which broadens execution far beyond robotics-related use. Because the hook runs a local command on each submission, this increases exposure to unintended data flow and persistent prompt/context injection across unrelated work.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The user-level configuration installs the hook globally for all prompts in all projects, creating persistent cross-project execution without scope constraints. In a multi-repo or mixed-sensitivity environment, that can cause unnecessary context injection and unintended handling of sensitive prompt content.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The Codex example also uses an empty matcher, so the hook triggers on every prompt with unclear boundaries. This creates the same overbroad execution risk: unnecessary command invocation and persistent influence on agent context even when the session is unrelated to robotics.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal