ClawHub

Agent Skills Context Engineering

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent context-engineering helper, but it automatically loads unpinned remote instructions and can add persistent agent auto-triggers to always-loaded config files.

Install only if you are comfortable with the agent fetching and applying unpinned SKILL.md files from GitHub during normal work. Review the upstream repository, avoid adding the auto-trigger block to always-loaded config unless you want persistent behavior across sessions, and prefer pinned or vendored local sub-skills for sensitive projects.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill directs the agent to automatically fetch and apply remote sub-skill content from a GitHub raw URL during normal operation. This creates a supply-chain and prompt-injection risk because remote content can change over time, be tampered with, or contain adversarial instructions, and it is loaded without explicit user approval or integrity verification.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill instructs the agent to search for and modify always-loaded config files such as AGENTS.md or TOOLS.md, which are high-leverage control points for future agent behavior. Even though it asks for user agreement before writing, it normalizes persistence into trusted startup/config surfaces and broadens the skill from guidance into durable behavioral modification.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrases and auto-read conditions are broad enough to activate during normal, non-security-sensitive discussion, causing the agent to load and apply additional behavior without explicit user intent. In this skill, that risk is amplified because activation can silently fetch remote sub-skill content from GitHub, expanding the instruction surface and increasing the chance of unintended routing, prompt contamination, or policy-relevant behavior changes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly states that sub-skill documentation is fetched directly from GitHub during operation, but the warning is not presented as a user-facing security or privacy risk. This is dangerous because runtime remote content retrieval changes agent behavior based on external data, creating supply-chain, integrity, availability, and data-exposure risks if the remote repository changes, is compromised, or is unavailable.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill description does not upfront disclose that first-load behavior may inspect workspace config files and propose changes to always-loaded agent configuration. This is a transparency and consent problem: users may invoke a context-engineering wrapper expecting advice, not examination of persistent config surfaces tied to future execution.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill advertises automatic remote sub-skill loading during normal operation without a clear privacy, network, or trust warning. This is dangerous because it silently expands the trust boundary to external content and may disclose usage patterns or lead the agent to ingest unreviewed instructions whenever trigger conditions are met.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal