ClawHub

Writing Style Skill

Security checks across malware telemetry and agentic risk

Overview

This is a coherent self-learning writing-style skill, but it stores full drafts and can automatically rewrite future skill instructions using external LLM output.

Install only if you specifically want a self-learning writing profile. Avoid recording confidential drafts, inspect the JSONL logs and proposal files, review SKILL.md diffs before applying changes, avoid cron/auto mode until you trust the workflow, and set IMPROVE_LLM_CMD only to a command you fully control.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
custom_cmd = os.environ.get("IMPROVE_LLM_CMD")
    if custom_cmd:
        try:
            result = subprocess.run(custom_cmd.split(), input=prompt,
                                    capture_output=True, text=True, timeout=timeout)
            if result.returncode == 0 and result.stdout.strip():
                return result.stdout.strip()
Confidence
89% confidence
Finding
result = subprocess.run(custom_cmd.split(), input=prompt, capture_output=True, text=True, timeout=timeout)

Tainted flow: 'updated' from os.environ.get (line 312, credential/environment) → pathlib.Path.write_text (file write)

Medium
Category
Data Flow
Content
print("❌ 合并失败")
        return

    target.write_text(updated)

    new_content = proposal_content.replace(
        "status: pending",
Confidence
97% confidence
Finding
target.write_text(updated)

Tainted flow: 'prompt' from os.environ.get (line 296, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
custom_cmd = os.environ.get("IMPROVE_LLM_CMD")
    if custom_cmd:
        try:
            result = subprocess.run(custom_cmd.split(), input=prompt,
                                    capture_output=True, text=True, timeout=timeout)
            if result.returncode == 0 and result.stdout.strip():
                return result.stdout.strip()
Confidence
91% confidence
Finding
result = subprocess.run(custom_cmd.split(), input=prompt, capture_output=True, text=True, timeout=timeout)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill invokes external LLM CLIs and forwards prompts built from edit logs and skill contents outside the local analysis boundary. In this writing-style context, those logs can contain user-authored or edited text that may be sensitive, so silent transfer to a third-party model materially increases exposure.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
This script can modify and roll back arbitrary SKILL.md files selected via arguments or environment variables, which exceeds a narrowly scoped style helper and creates integrity risk across other skills. Because changes are model-generated, a compromised prompt or poisoned logs could persist unsafe behavior into trusted skill definitions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This section explicitly says new rules are automatically written back into `SKILL.md`, but it does not present a prominent warning or require explicit user approval immediately before the file is changed. In a skill file, self-modification is unusually sensitive because it can permanently alter future agent behavior, introduce prompt drift, or persist bad instructions from accidental edits or poisoned inputs.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The `auto` workflow is described as extracting and automatically applying P0 rules, which means the skill can autonomously update its own governing file based on prior content comparisons. In context, this is more dangerous because the skill is a reusable template intended for repeated use, so a bad or manipulated rule can persist across sessions and affect all future outputs without the user's immediate awareness.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Auto mode applies model-generated P0 changes directly to SKILL.md without any approval step. This creates an unsafe autonomous write path where prompt injection, model hallucination, or poisoned logs can alter persistent agent instructions and affect future behavior.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script persistently logs full original and final text content to JSONL files on disk, which can capture sensitive prompts, drafts, credentials, personal data, or proprietary text without any minimization, encryption, or explicit consent flow. In the context of a 'self-improving' writing skill, this behavior is core to the feature set, which makes accidental collection of sensitive user content more likely rather than less.

Ssd 3

High
Confidence
99% confidence
Finding
The code embeds original and final human-edited content from logs directly into an LLM prompt. That can expose private drafts, proprietary text, or sensitive user content to an external model provider without minimization or consent, which is especially risky for a writing assistant handling arbitrary text.

Ssd 3

Medium
Confidence
93% confidence
Finding
Sending the full proposal and full current SKILL.md to the model can disclose accumulated rules, operational conventions, or embedded sensitive text. While typically less severe than leaking raw user edits, it still expands exposure of internal configuration and may reveal protected prompts or organizational style constraints.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal