ClawHub

知行迭代

Security checks across malware telemetry and agentic risk

Overview

This skill is not overtly malicious, but it asks an agent to automatically persist, reorganize, and sometimes delete conversation-derived memory without enough user control.

Install only if you intentionally want an agent to keep persistent memory from your conversations. Before enabling it, decide where memory files live, whether cron jobs are enabled, how to review or disable them, and what categories of sensitive information must never be saved or deleted automatically.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly instructs automatic updates to memory files after every conversation and mentions deleting outdated information, but it does not present any consent boundary, review step, or safeguard against unintended modification of user data. In an agent skill, autonomous persistence and deletion are security-relevant because they can silently alter records, overwrite context, or remove information a user expected to retain.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation says the system runs automatically with '无需操作,系统自动运行' and that cron-triggered tasks run in independent sessions to reorganize stored memory, yet it does not warn users that background processing may occur without direct interaction. This creates a real risk of unanticipated data handling, including silent summarization, restructuring, or deletion outside the user's immediate awareness.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill description is broad enough to invite invocation for multiple loosely related tasks such as memory organization, reflection, and skill creation, without clear guardrails on when it should or should not run. In an agent setting, vague triggers increase the chance of unintended activation and autonomous handling of sensitive user data or system-modifying actions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill advertises automatic memory organization and long-term improvement behavior but does not clearly warn that user conversations may be persisted, transformed, and reused later. This can lead users or downstream agents to process sensitive data without informed consent or appropriate minimization.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The cron examples schedule unattended processing of conversation history and memory files, yet the documentation does not prominently disclose the privacy and automation implications. Scheduled background execution increases the chance of collecting, summarizing, or propagating sensitive information outside the immediate user interaction.

Ssd 3

Medium
Confidence
97% confidence
Finding
These instructions explicitly encourage extracting facts from daily conversations and writing them into persistent memory files without any sensitivity classification, exclusion rules, or user approval step. That creates a direct risk of storing personal, confidential, or regulated data in durable storage where it may later be reused or exposed.

Ssd 3

Medium
Confidence
96% confidence
Finding
The workflow calls for deep analysis of memory files and integration into long-term memory, which expands both the scope and persistence of collected user information. Without sensitivity limits, this creates a compounding privacy risk: data can be aggregated over time, inferred, and retained far beyond what the user expects.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal