ClawHub
Back to skill

Security audit

manifesto-hci

Security checks across malware telemetry and agentic risk

Overview

This skill is built for local project memory, but it automatically stores full conversations and creates Git history with limited user control.

Install only if you intentionally want a local, Git-backed project memory that records conversation content. Use explicit /manifesto commands, avoid secrets or regulated data, inspect the created projects/prj_<project_id>/ directory, and be prepared to delete both logs and Git history if sensitive content is captured.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill instructs the agent to run shell commands and perform filesystem writes (`python3 scripts/core.py`, `git init`, `git commit`, persistent log/state updates) without declaring corresponding permissions or obtaining explicit approval. This creates a capability mismatch that can lead to unauthorized local state changes, repository creation, and persistent storage of potentially sensitive data.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger language is broad (`start project`, `manage state`, `manifesto`, or any `project_id`), which can cause the skill to activate in contexts where the user did not intend persistent state management or logging. Because activation leads to shell execution, Git operations, and retention of conversation history, accidental invocation materially increases risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly directs silent `git init` and first `git commit` behavior without a user-facing warning. Hidden repository creation and commits can persist sensitive project content and metadata on disk without informed consent, which is especially risky in a skill designed for long-term project management.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill mandates logging of every user input and assistant response via command-line calls, but provides no privacy notice, consent flow, retention policy, or redaction safeguards. This can capture secrets, personal data, credentials, or proprietary information and persist them to disk automatically.

Natural-Language Policy Violations

Medium
Confidence
93% confidence
Finding
The prompt hard-codes the sub-agent to operate exclusively in Chinese and forbids any natural-language interaction, overriding user preference or deployment locale. In a long-running project-management skill, this can degrade operator visibility, cause misunderstanding of audit outputs or maintenance prompts, and create unsafe state updates when downstream components or reviewers cannot reliably interpret the agent's behavior.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The document explicitly instructs users to paste the protocol into any web AI's first turn or system prompt, creating broad cross-agent prompt injection and policy override behavior without scope limits. In the context of a state-management skill, this increases the chance that the protocol persists across unrelated sessions, conflicts with host safety controls, or causes unintended instruction dominance over the target assistant.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The specification explicitly directs the skill to perform a silent `git init` and commit during `/manifesto start`, which modifies the user's local filesystem and repository state without clear upfront consent at the moment of action. In an agent setting, hidden persistence and repository mutation are risky because they can alter existing projects, create audit noise, or surprise users who did not intend to authorize source-control operations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The spec describes background hooks that automatically update `manifesto_[project_id].md` and create git commits on `on_turn_completed`, but it does not require prominent disclosure or per-session consent for these autonomous side effects. Automatic post-turn writes are dangerous in long-running agent workflows because they can persist sensitive content, create unexpected history, and make it harder for users to control when state is saved.

Missing User Warnings

Medium
Confidence
77% confidence
Finding
Project initialization creates directories and initializes a git repository on disk without any user-facing disclosure or consent flow. In an agent-skill context, hidden persistent side effects are security-relevant because users may not realize local state and repositories are being created, which can affect privacy, integrity, and workspace hygiene.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The skill writes a manifesto file containing persistent project state without clearly informing the user that data will be stored on disk. In a long-lived agent workflow, undisclosed state creation can surprise users and may retain sensitive or regulated content beyond the current session.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The logging function persists arbitrary provided content to a history JSONL file with no user-facing disclosure, consent, redaction, or sensitivity filtering. If conversations contain secrets, credentials, personal data, or proprietary material, this creates a meaningful privacy and data-retention risk in the agent context.

Ssd 3

Medium
Confidence
98% confidence
Finding
Persistent logging of all user and assistant messages creates a clear data retention and leakage risk, especially in a long-lived project skill likely to handle secrets, business plans, source code, or personal data. The combination of append-style history, Git commits, and background auditing increases exposure surface and makes accidental disclosure or later exfiltration more damaging.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal