ClawHub

Skill Evolution Loop

Security checks across malware telemetry and agentic risk

Overview

This skill is purpose-aligned automation, but it can scan local session logs, create or alter skills/workflows, delete skill directories, and instruct external publishing/sync without strong confirmation gates.

Review before installing. Use only in an environment where the agent is allowed to read local Hermes session logs and modify `~/.hermes` skills/workflows. Prefer `detect`, `run --auto`, and `gc --dry-run` first; do not let an agent run `gc`, `git push`, `clawhub publish`, or `scp` from this skill unless you explicitly approve the exact targets and changes. VirusTotal and static scan were clean; the Review verdict comes from the artifact's own high-impact automation and confirmation gaps, not malware telemetry.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file claims a safety mechanism of manual confirmation, but the normal `run` path directly distills tasks, evolves skills, and generates workflows from detected session patterns without checking any approval state in `candidates.json`. In a self-modifying automation engine, that means unreviewed log-derived inputs can drive creation of new skills and orchestrations, increasing the chance of unsafe automation, persistence of bad logic, or propagation of prompt-injected task patterns.

Intent-Code Divergence

High
Confidence
95% confidence
Finding
The top-level documentation says stale auto-generated skills are only marked as deletion candidates, but `run_gc()` actually removes directories by default when `dry_run` is false. This mismatch is dangerous because operators may invoke `gc` expecting a non-destructive review operation and instead suffer irreversible deletion of skills and their contents.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger set includes broad phrases for a high-impact skill that can analyze logs, generate artifacts, and perform GC. Overly broad activation increases the likelihood of accidental invocation, causing the agent to enter a self-modifying or cleanup workflow when the user intended something else.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The garbage-collection path deletes skill directories automatically during normal execution without an execution-time confirmation prompt or explicit destructive flag. In the context of an automation engine managing local skills, this can cause accidental loss of operational assets, especially because stale status is inferred from file modification time rather than verified runtime usage.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal