ClawHub

Shark

Security checks across malware telemetry and agentic risk

Overview

This is a coherent performance skill, but it gives agents broad background execution authority and includes a loop that bypasses normal Claude permission checks.

Install only if you intentionally want agents to run slow work in parallel or background. Avoid /shark-loop in sensitive repositories unless you remove the permission-bypass flag or run it in a disposable sandbox, and explicitly approve shell, SSH, Docker, CI, or filesystem-changing commands before they launch.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (10)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill goes beyond advisory orchestration guidance and instructs the agent to execute external shell and PowerShell wrappers with execution-policy bypass and user-provided task content. That broadens the attack surface from planning into code/process execution, which can enable unsafe command execution or persistence behaviors if invoked in a permissive runtime.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The README defines very broad activation phrases such as "Use shark mode," "Keep swimming," and "Never wait for tools," which are natural-language phrases that can plausibly appear in ordinary conversation or unrelated task instructions. In a skill-loading ecosystem where agents react to textual triggers, this increases the chance of accidental activation and unexpected changes to execution behavior, especially because the skill changes how tools are invoked and encourages parallel/background execution.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The installation instructions tell users to fetch remote skill content directly via curl from GitHub and place it where agents will automatically consume it, but they do not warn that this content modifies agent behavior or recommend verification steps. This creates a supply-chain and trust-boundary risk: users may import unreviewed prompt/instruction content that persistently alters future agent decisions without understanding the security implications.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The `/shark-clean` command directs deletion of state files without any warning, confirmation step, or scoping safeguards. In practice this can lead to unintended loss of logs, completion markers, and job state, undermining auditability and potentially disrupting active workflows.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly invokes `powershell.exe` with `-ExecutionPolicy Bypass`, which suppresses PowerShell's normal policy safeguards and allows the referenced script to run even in environments where execution would otherwise be restricted. In this skill, the bypass is exposed through an agent command without any warning, validation, or integrity check on `shark.ps1`, making misuse or tampering harder for a user to notice and increasing the chance of unsafe script execution.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill directs the agent to execute external shell commands and, on Windows, explicitly uses `powershell.exe -ExecutionPolicy Bypass`, which weakens a built-in safeguard and increases the chance that unsafe script content is run without policy enforcement. Because the task description is passed into an external script and there is no user-facing warning, consent step, or trust boundary explanation, this creates a meaningful command-execution risk in a context that can process attacker-controlled input.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The invocation phrases are highly generic (e.g. 'use shark mode for this', 'non-blocking — spawn where needed', 'keep swimming') and do not constrain when the skill should activate or what tasks are in scope. In an agent environment, broad triggers can cause unintended activation across unrelated tasks, leading the agent to spawn parallel tool executions or change execution strategy without explicit user intent, which increases the risk of unsafe or surprising actions.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill encourages wrapping long-running shell commands in background execution and persisting them for later polling, but it never adds guardrails around what commands are safe to run, how to validate inputs, or how to avoid running untrusted user-derived shell strings. That omission increases the chance an agent will asynchronously execute dangerous commands with reduced visibility and delayed supervision, which can amplify command-injection and destructive-execution risks.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script invokes `claude` with `--permission-mode bypassPermissions`, which disables normal permission safeguards for whatever actions the model may choose to take. Because the prompt is built from task input, `SKILL.md`, and persisted state, any prompt injection or unsafe task content can be executed with elevated authority and without an interactive user confirmation step, substantially increasing the blast radius.

Session Persistence

Medium
Category
Rogue Agent
Content
This must be the **first thing you do** — before exec, before writing state. Silence = failure.

### Step 2 — Launch Background Process

Launch the command in the background using your agent's background execution primitive (see [Runtime Adapters](#runtime-adapters) below).
Confidence
90% confidence
Finding
Launch Background Process

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal