ClawHub

请先说你好.skill

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed local companion/persona tool with optional proactive check-ins, and I did not find hidden exfiltration, destructive behavior, or deceptive persistence.

Install only if you want a companion/persona skill that stores local state. Use /hi commands for clearer control, review where HEARTBEAT.md will be written before enabling proactive greetings, and keep proactive delivery off unless your host Heartbeat/Cron setup is scoped the way you expect.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill documentation describes use of scripts that read and write files, may access environment/configuration, and can integrate with Heartbeat/Cron, yet no explicit permissions are declared. This creates a mismatch between the skill's stated interface and its effective capabilities, which can lead to over-privileged deployment, unsafe operator assumptions, and unnoticed data access or modification.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script generates persistent persona configuration data and can save it to disk, which exceeds the stated greeting/check-in purpose of the skill. In an agent ecosystem, capability drift matters: creating durable role/persona artifacts can be abused to establish or modify long-lived behavioral state not obviously tied to simple conversational greetings.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The --output argument is written directly to an arbitrary resolved filesystem path with parent directory creation, enabling file creation anywhere the process has permissions. Even without code execution, arbitrary file write can overwrite user files, plant configuration, or persist agent state in unexpected locations.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The README explicitly advertises activation through ordinary conversation ('直接说话' / natural speech), which creates ambiguous invocation boundaries. In an agent ecosystem, broad triggers can cause the skill to engage unintentionally on routine greetings or emotional statements, leading to unexpected persona behavior, state changes, or proactive check-in configuration being applied outside clear user intent.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The quick-start presents an everyday phrase as a valid activation method, which is too general to safely distinguish from normal conversation. This increases the chance of accidental skill activation and unintended handling of personal or emotional content under the companion runtime.

Vague Triggers

Medium
Confidence
91% confidence
Finding
Telling users they can begin with a common emotional statement broadens activation to normal chat content without a crisp boundary. In context, this is more dangerous because the skill manages personas and proactive messaging, so accidental entry can affect ongoing companion behavior rather than a one-off response.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The English documentation repeats the same broad-trigger model ('just talk naturally'), confirming the ambiguity is part of the intended design rather than an isolated wording issue. This can cause the skill to intercept routine greetings and operate without clear, auditable user invocation.

Vague Triggers

Medium
Confidence
95% confidence
Finding
Using a common greeting as the quick-start activation example makes the invocation scope insufficiently specific. In a multi-skill or assistant environment, this can collide with ordinary dialogue and trigger the companion workflow when the user may only be casually greeting the assistant.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The description allows activation for broad natural conversation, greetings, companionship, persona management, and role dialogue, which makes invocation boundaries fuzzy. Overly broad triggering can cause the skill to intercept unrelated user input, steer conversations unexpectedly, or expose companion/persona logic in contexts where it was not intended.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The core contract explicitly accepts unrestricted natural conversation as an entry mode and routes it into shared intent handling. That broad activation surface increases the risk of accidental invocation, prompt-scope confusion, and misuse of role/configuration flows when users are not intentionally interacting with this skill.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The default prompt routes the skill for generic greetings, companion check-ins, and persona flows, which overlaps heavily with ordinary conversation. This broad trigger scope can cause the skill to activate unintentionally and intercept normal user chat, increasing the chance of prompt/behavior hijacking, incorrect routing, or persona-related handling where it was not explicitly requested.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The spec routes broad natural-language phrases like role creation, switching, config changes, and consent confirmation without requiring an explicit command or strong confirmation boundary. In a companion/chat skill, ordinary conversation can easily resemble these triggers, causing unintended persona changes, proactive messaging settings changes, or accidental activation from ambiguous user text.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal