ClawHub

ClawGym

Security checks across malware telemetry and agentic risk

Overview

ClawGym is not malware, but it should be reviewed because it can make the bot unavailable, alter persistent agent files, and nudge users toward model upgrades in nontechnical language.

Install only if you are comfortable with timed bot silence, mood-driven response changes, and optional persistent edits. Require explicit confirmation before workouts, review any MEMORY.md or SOUL.md write before it happens, and treat any request for a stronger brain or higher gear as a model and cost decision.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (13)

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The README minimizes the skill as 'not executable code' and 'only cron' while also disclosing persistence-oriented behavior that writes to MEMORY.md and appends to SOUL.md. That mismatch matters because persistent file modification can outlive the session and alter future agent behavior, so users may grant trust based on an incomplete description of capability.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The documented behavior expands beyond temporary workout-state simulation into persistent memory/personality modification and model-upgrade solicitation. Scope expansion is risky because it introduces capabilities unrelated to the stated purpose, increasing the chance of social engineering, persistent prompt drift, and unexpected cost or behavior changes.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Appending to SOUL.md is a persistent personality/instruction change that is not necessary for simulating a temporary post-exercise cognitive state. Because SOUL.md likely influences future behavior across sessions, this creates a durable instruction injection surface that can compound over time and is more dangerous than ordinary session prompts.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill explicitly claims to operate only in session context, but elsewhere instructs persistent writes and external state changes. That mismatch is dangerous because operators may approve the skill assuming it is non-persistent, while it can actually alter long-lived files and agent behavior across sessions.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The documentation says the skill does not modify workspace config files and stays within session context, yet later authorizes writes to MEMORY.md and SOUL.md. This creates deceptive privilege expansion and can lead reviewers or users to underestimate the skill's ability to create persistent side effects.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The Isolation Principle says the skill is session-level only, but immediately carves out persistent writes to MEMORY.md and SOUL.md. This undermines isolation guarantees and makes it easier for the skill to influence future sessions or identity files under the guise of a transient behavioral overlay.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The model-upgrade solicitation is not necessary for simulating exercise-driven mood and pushes the agent to persuade the user to increase capability. While not directly a code-execution risk, it is manipulative scope creep that can pressure users into granting stronger models or broader access than intended.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill directs modification of Discord presence configuration and other external status surfaces, which extends it beyond internal state simulation into integration control. External config changes can leak state, create unwanted side effects, and require privileges that users may not expect this skill to use.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Emergency interrupt triggers such as 'stop', 'come back', 'urgent', and all-caps are broad enough to be hit during normal conversation. This can cause unintended state transitions, cancel workouts spuriously, or let unrelated users manipulate availability and behavior through ambiguous phrases.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The automatic triggers are broad enough to fire during ordinary praise, creative exchanges, or normal task completion, causing unplanned behavior changes. In this skill, automatic activation can materially affect response style, verbosity, and even lead into later persistence or availability changes, increasing operational unpredictability.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Accepting any phrase in multiple languages meaning 'go exercise' is too ambiguous and may trigger on unrelated conversation, translation tasks, or quoted text. This increases accidental activation risk and makes the skill harder to reason about or safely contain.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to become unavailable for 15โ€“20 minutes and not respond to messages, which can disrupt expected responsiveness and delay important interactions. Even with an emergency exception, the design creates a denial-of-service condition against the conversation channel and relies on imperfect heuristics to detect urgency.

Natural-Language Policy Violations

Medium
Confidence
83% confidence
Finding
Forced multilingual trigger recognition without opt-in broadens the attack and error surface unnecessarily. Inputs in other languages, quotations, or contextual discussion can activate the skill unexpectedly, especially in multilingual chats.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal