ClawHub

Claw Self Evolution

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it can automatically change workspace files, rewrite user memory, and restart services without enough user control.

Review and edit the scheduled jobs before enabling this skill. Disable or rewrite the automatic user-profile updater, add dry-run or confirmation gates before directory repair and cleanup, and avoid enabling service auto-restart until it targets only the intended service with clear logs and rollback behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (18)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"""运行单个检查,返回(是否成功, 标准输出, 标准错误)"""
    print(f"\n🔍 开始检查: {check['name']}")
    try:
        result = subprocess.run(
            check["command"],
            shell=True,
            capture_output=True,
Confidence
94% confidence
Finding
result = subprocess.run( check["command"], shell=True, capture_output=True, text=True, timeout=300 )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
return result.returncode == 0
        else:
            # 如果没docker,尝试直接重启进程
            result = subprocess.run(
                f"pkill -f {PROCESS_NAME} && sleep 2 && nohup {PROCESS_NAME} > /dev/null 2>&1 &",
                shell=True,
                capture_output=True,
Confidence
83% confidence
Finding
result = subprocess.run( f"pkill -f {PROCESS_NAME} && sleep 2 && nohup {PROCESS_NAME} > /dev/null 2>&1 &", shell=True, capture_output=True,

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print("🔍 检查过时依赖...")
    
    try:
        result = subprocess.run(
            "pip list --outdated --format=json",
            shell=True,
            capture_output=True,
Confidence
94% confidence
Finding
result = subprocess.run( "pip list --outdated --format=json", shell=True, capture_output=True, text=True )

Intent-Code Divergence

High
Confidence
95% confidence
Finding
The function claims to update the profile from recent conversations, but it actually writes a fixed, hard-coded set of user preferences. This is dangerous because it creates deceptive persistent state: downstream components may trust fabricated profile data as if it were learned from the user, leading to unauthorized behavior changes, privacy misrepresentation, and unsafe automation decisions.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The installer prints extensive claims about implemented safety controls and autonomous operational features, but the script itself only copies Python files and creates markdown logs. This mismatch can mislead operators into believing guardrails like isolated experiments, approval gates, backups, health checks, and auto-recovery are already active, causing unsafe trust and deployment decisions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly advertises 'automatic user profiling' that learns user preferences daily, but the documentation does not describe explicit informed consent, data minimization, retention limits, or what profile fields are stored. Persistent profiling of user behavior/preferences can create privacy risks, over-collection of sensitive data, and secondary misuse if other automation later consumes that profile.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill states that health monitoring runs every 15 minutes and will 'automatically recover' on anomalies, which implies autonomous system changes without clearly defining scope, guardrails, or approval requirements. Even if limited to the workspace, undocumented self-healing behavior can trigger unintended restarts, file rewrites, or state changes that reduce operator control and may be abused or misfire.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The manifest description advertises a broad 'complete safe and controllable self-evolution closed loop' with continuous self-improvement, but provides no activation boundaries, scope limits, or concrete examples of allowed behavior. For a self-modifying or self-improving skill, vague framing increases the risk of unsafe invocation, overbroad autonomy, and misinterpretation of what safety controls actually exist.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script overwrites a persistent user profile file on every run without confirmation, preview, rollback, or integrity checks. In an agent environment, silent modification of memory can permanently alter future model behavior, making accidental corruption or manipulation of user state hard to detect and reverse.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script automatically moves, merges, and deletes files under /app/working without any confirmation, dry-run mode, or backup safeguards. In an agent skill context, this is risky because routine execution can silently alter or destroy data, especially when filename-based heuristics misclassify files or when merges append irreversible content.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The archiving routine automatically relocates files older than 30 days and may merge then delete originals when name collisions occur, with no prior disclosure or operator approval. This can cause silent data loss, retention-policy violations, or corruption of audit/history records if the date-based assumptions are wrong or the archive already contains related content.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The script collects token-usage data and persists it into a report under /app/working/logs without any access control, minimization, or explicit disclosure. Operational usage metrics can reveal activity patterns, scale, or business-sensitive consumption data if logs are broadly accessible or forwarded to external notification systems.

Ssd 3

Medium
Confidence
95% confidence
Finding
Continuous learning from user interactions into a persistent user profile is a real privacy and data-governance issue in this context because the skill presents it as an always-on feature rather than a narrowly bounded, consented capability. The surrounding 'self-evolution' context increases risk because accumulated profile data may later influence automated decisions or modifications, compounding the effect of inaccurate or overbroad memory.

Ssd 3

Medium
Confidence
90% confidence
Finding
The workflow directs the system to record user corrections, errors, and new requirements into persistent memory stores, but does not describe consent boundaries, sanitization, or controls against storing secrets or sensitive personal/business information. This is dangerous because routine interactions often contain credentials, confidential context, or mistaken prompts that should not be permanently retained and later reused by automated processes.

Ssd 3

Medium
Confidence
88% confidence
Finding
The script is explicitly designed to persist user preferences across conversations without defining data minimization, retention limits, or consent boundaries. In a memory-bearing agent, this increases the risk of over-collection, storing sensitive behavioral inferences, and using them in future interactions beyond the user's expectations.

Ssd 3

Medium
Confidence
93% confidence
Finding
The code frames recent conversations as a source for persistent 'insights' about the user, encouraging durable storage of inferred preferences. This is risky because conversation summaries can contain sensitive or incorrect inferences, and once persisted they can silently shape future agent actions and disclosures.

Ssd 3

Medium
Confidence
86% confidence
Finding
The narrative promotes a self-evolving system that automatically discovers and records user requirements over time, expanding memory scope without clear controls. This makes the skill more dangerous in context because it normalizes continuous profiling and autonomous persistence, which can accumulate sensitive state and amplify errors across sessions.

Ssd 3

Medium
Confidence
92% confidence
Finding
The script reads memory files under /app/working/memory/learnings/, generates a consolidated report, saves it to a logs directory, and prints the full report to stdout. Even though it currently counts entries rather than fully dumping file contents, the report still discloses operational metadata and user/learning-derived information to broader sinks such as logs, terminals, or downstream push mechanisms, which can expose sensitive internal context beyond the minimum necessary audience.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal