ClawHub
Back to skill

Security audit

Improvement Learner

Security checks across malware telemetry and agentic risk

Overview

This skill is meant to improve other skills, but it needs review because running it can modify the chosen skill, run its tests, call Claude with skill content, and make git commits without a clearly separated read-only mode.

Install only if you want an active skill-improvement tool, not just a read-only scorer. Run it on a version-controlled copy of the intended skill directory, prefer --mock when you do not want SKILL.md content sent through Claude, avoid pointing it at untrusted skills unless sandboxed, and review changes before relying on any generated commit.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (9)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
)

    try:
        result = subprocess.run(
            ["claude", "-p", "--output-format", "json"],
            input=prompt,
            capture_output=True,
Confidence
93% confidence
Finding
result = subprocess.run( ["claude", "-p", "--output-format", "json"], input=prompt, capture_output=True, text=True, timeout=120,

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# Reliability: test results (pure-text skills without scripts/ default to 1.0)
    if has_tests:
        try:
            result = subprocess.run(
                [sys.executable, "-m", "pytest",
                 str(skill_path / "tests"), "-q", "--tb=no"],
                capture_output=True, text=True, timeout=30,
Confidence
90% confidence
Finding
result = subprocess.run( [sys.executable, "-m", "pytest", str(skill_path / "tests"), "-q", "--tb=no"], capture_output=True, text=True, time

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises and demonstrates shell execution plus read/write access to arbitrary paths, but declares no permissions or safety boundaries. That creates a transparency and authorization gap: an orchestrator or user may invoke it as if it were low-risk, while it can actually modify files, run commands, and persist state.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented behavior materially understates the skill's actual actions: it can modify files and directories, run pytest, stage/commit with git, call an external CLI judge, and write persistent state. This mismatch is dangerous because users and higher-level agents may grant trust or invoke the skill for passive evaluation, when it actually performs side-effecting operations with broader system and repository impact.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill's implementation performs shell/process orchestration (`claude`, `pytest`, `git`) beyond what a user would reasonably infer from a quality-scoring/self-improvement description. This expands the attack surface substantially because evaluation now includes external data transfer, code execution, and repository mutation side effects.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The script modifies files, deletes/restores directories, and creates git commits automatically, which exceeds a passive evaluation role and can cause unintended integrity loss in the target repository. In a security context, hidden write/destructive behavior is dangerous because a user may invoke an assessor expecting read-only analysis.

Vague Triggers

Medium
Confidence
82% confidence
Finding
Overly broad triggers like `self-improve`, `evaluate skill`, or generic quality-check language can cause accidental invocation in unrelated contexts. Because this skill appears capable of editing files, running shell commands, and persisting state, trigger collisions increase the chance of unintended execution of high-impact actions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script transmits up to 8000 characters of SKILL.md to an external `claude` CLI with no warning, consent, or redaction. If skills contain proprietary instructions, internal references, or secrets accidentally embedded in docs, this causes silent data exfiltration to a third-party model endpoint.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The backup/restore logic performs destructive filesystem operations (`rmtree`, `copytree`) and file modifications without a user-facing warning or confirmation. In practice this can overwrite local work or interact badly with symlinks/unexpected paths, making the evaluator unsafe as a default read-only tool.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.