ClawHub

Improvement Generator

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent improvement-candidate generator, but it can send target SKILL.md content and evaluator failure details to the external Claude CLI without clear user-facing opt-in or disclosure.

Review before installing in environments with private skills, proprietary prompts, or sensitive evaluation traces. Use it only when external Claude CLI analysis is acceptable, or run in an environment where `claude` is unavailable so it falls back to local templates; inspect generated candidates before passing them to any executor.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
82% confidence
Finding
The skill advertises CLI usage that reads target paths, writes output files, and may consume external trace or memory inputs, yet it declares no permissions. This creates a transparency and policy-enforcement gap: orchestrators or reviewers may treat it as low-privilege while it can access local files and potentially invoke external tooling, increasing the chance of unintended data exposure or unsafe execution in automation.

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The documented purpose frames the skill as a candidate generator, but the behavior described by the finding extends into analyzing SKILL.md, consuming evaluator failure artifacts, and generating targeted repair plans. That mismatch is dangerous because operators may route sensitive evaluation traces or allow broader execution under the assumption the skill is doing limited transformation, when it is effectively performing higher-risk analysis and repair orchestration.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill silently invokes an external LLM CLI and sends current SKILL.md content plus evaluator-failure details outside the process boundary, but the manifest does not disclose that capability. In a security-sensitive workflow, this can leak proprietary prompts, internal instructions, or traces to a third-party model/service and breaks operator expectations about what the skill does.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
This path performs proposal generation by spawning an external CLI to analyze full SKILL.md content, which expands the skill's effective capabilities beyond simple local candidate generation. The danger is not the subprocess primitive itself, but undisclosed delegation of analysis and content handling to another tool or service that may have different trust, logging, or retention properties.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code calls the external claude CLI without any user-visible warning that prompt contents may leave the local trust boundary. Because the prompt includes file contents and failure context, operators may unknowingly expose sensitive or proprietary material during routine proposal generation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This second call transmits up to 4000 characters of SKILL.md to an external LLM for analysis with no visible disclosure, which can expose confidential prompts, business logic, or embedded secrets. In the context of an improvement-generator, users may reasonably expect local processing, so the lack of notice makes the behavior more dangerous.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal