ClawHub

类Manus任务规划Planning With Files 2.26.1

Security checks across malware telemetry and agentic risk

Overview

This is a coherent planning helper, but it reads and prints prior Claude session content for recovery without a clear consent or redaction step.

Install only if you are comfortable with a planning skill creating persistent markdown files in your project and using prior Claude session logs to recover unsynced context. Avoid putting secrets in task_plan.md, findings.md, progress.md, or related conversations, and review those files before continuing work because their contents are repeatedly shown to the agent.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The Stop hook runs external scripts via PowerShell or shell from a path derived from environment variables/home directories, which expands the trust boundary beyond simple markdown planning. Any compromise, replacement, or unexpected behavior in those scripts can execute code automatically at session end without an explicit fresh user action.

Intent-Code Divergence

Low
Confidence
72% confidence
Finding
The documentation says files belong in the project directory, but hooks read bare filenames from the current working directory. In practice this can cause the skill to read or act on the wrong task_plan.md/progress.md if invoked from an unexpected directory, creating a context-confusion issue and increasing the chance of consuming attacker-planted content.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill instructs the agent to create and repeatedly update files in the user's workspace as a default workflow, yet it does not present a clear user-facing warning or consent step about persistent writes. In environments where users may expect planning help without file creation, this can lead to surprising modification of project contents and accidental persistence of sensitive or untrusted data.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script prints excerpts of prior session messages directly to stdout, including user and assistant content and tool activity, without any explicit consent, redaction, or warning. Because this runs on session start and reads from persisted session logs under the user's home directory, it can expose sensitive prior conversation context to the current terminal, logs, or anyone observing the screen.

Natural-Language Policy Violations

Medium
Confidence
92% confidence
Finding
The template explicitly includes an instruction to "Re-read this plan before major decisions (attention manipulation)," which attempts to shape the agent's attention and persistence behavior. In an agent skill, embedding attention-management directives in reusable templates can bias future behavior across tasks and create a channel for persistent prompt injection or policy steering.

Context Leakage

High
Category
Data Exfiltration
Content
def extract_messages_after(messages: List[Dict], after_line: int) -> List[Dict]:
    """Extract conversation messages after a certain line number."""
    result = []
    for msg in messages:
        if msg['_line_num'] <= after_line:
Confidence
92% confidence
Finding
Extract conversation

Hidden Instructions

High
Category
Prompt Injection
Content
# Task Plan: [Brief Description]
<!-- 
  WHAT: This is your roadmap for the entire task. Think of it as your "working memory on disk."
  WHY: After 50+ tool calls, your original goals can get forgotten. This file keeps them fresh.
  WHEN: Create this FIRST, before starting any work. Update after each phase completes.
Confidence
81% confidence
Finding
<!-- WHAT: This is your roadmap for the entire task. Think of it as your "working memory on disk." WHY: After 50+ tool calls, your original goals can get forgotten. This file keeps them fresh.

Hidden Instructions

High
Category
Prompt Injection
Content
-->

## Goal
<!-- 
  WHAT: One clear sentence describing what you're trying to achieve.
  WHY: This is your north star. Re-reading this keeps you focused on the end state.
  EXAMPLE: "Create a Python CLI todo app with add, list, and delete functionality."
Confidence
78% confidence
Finding
<!-- WHAT: One clear sentence describing what you're trying to achieve. WHY: This is your north star. Re-reading this keeps you focused on the end state. EXAMPLE: "Create a Python CLI todo app

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal