ClawHub

Improvement Executor

Security checks across malware telemetry and agentic risk

Overview

This skill is meant to edit files, but its main editor does not implement the documented preview mode and can write to arbitrary file paths, so it needs review before installation.

Install only if you are comfortable with a skill that can overwrite local files based on ranking or receipt JSON. Inspect target_path, candidate action, and receipt/execution artifacts before running it, avoid --force unless you intentionally want to bypass the acceptance gate, and do not rely on execute.py --dry-run because the artifact does not implement it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill is explicitly designed to read and modify files and may also use environment data, yet it declares no permissions. This creates a transparency and policy-enforcement gap: an orchestrator or reviewer may treat the skill as low-risk while it can perform impactful filesystem operations including overwriting target files and creating backups with absolute paths.

Tp4

High
Category
MCP Tool Poisoning
Confidence
90% confidence
Finding
The documented behavior does not accurately bound what the executor can do: the action names differ from the description, preview support is inconsistently described, and the skill appears to perform additional workflow/state-management actions not disclosed in the summary. For a write-capable executor, this mismatch is dangerous because operators may authorize it under incorrect assumptions, leading to unintended file changes or pipeline side effects.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The executor is described as handling low-risk candidates, but the --force option allows execution even when the critic did not accept the candidate. In this skill context, the program performs direct filesystem writes to attacker-influenced target paths and content plans, so bypassing the approval gate weakens a key trust boundary and can lead to unauthorized or unsafe repository modifications.

Overly Broad Trigger

Low
Category
Trigger Abuse
Confidence
78% confidence
Finding
A very short trigger like '回滚' can match normal conversational text and unintentionally invoke a skill that performs file restoration. In this context the danger is elevated because the skill is write-capable and rollback can overwrite current file state, so accidental activation could cause data loss or unexpected state changes.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal