ClawHub

Self-Improving Security

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed security-learning skill with local logs and opt-in reminders; its persistent instruction-file promotion features deserve care but are purpose-aligned.

Install this only if you want persistent security learning logs. Keep hooks disabled unless useful, prefer a narrow security matcher over an empty matcher, enable command-output scanning only in trusted projects, and manually review anything before promoting it into AGENTS.md, SOUL.md, TOOLS.md, CLAUDE.md, or a reusable skill. Never store unredacted secrets, tokens, keys, credentials, or PII in the learning files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
The workflow goes beyond appending security learnings and instructs updates to broader workspace control files such as AGENTS.md, SOUL.md, and TOOLS.md. Those files can influence future agent behavior, so treating them as simple documentation targets understates that this skill can persistently alter higher-trust instruction surfaces.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The skill includes extracting new reusable skills from findings, which materially expands it from logging into code/content generation on disk. That broadening matters because generated skills may later be loaded and executed by agents, creating an indirect persistence and prompt-injection propagation path if the source material is not carefully sanitized.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The document claims the scripts 'do not modify files or run commands,' but the hook configuration explicitly invokes shell scripts via a command hook. This misleading assurance can cause operators to underestimate execution risk and enable hooks in environments where running local scripts with agent privileges is unsafe.

Vague Triggers

Medium
Confidence
94% confidence
Finding
An empty hook matcher causes the automation to trigger on essentially all user prompt submissions, not just security-relevant events. Overly broad triggering increases noise, captures more context than necessary, and can lead to unwanted execution of helper scripts in unrelated sessions, which is especially risky for a skill operating on prompts and tool outputs.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal