ClawHub

self-evolve-skill

Security checks across malware telemetry and agentic risk

Overview

This skill is a small curl helper for self-evolve.club, with disclosed but sensitive use of a local request key for personal stats and profile updates.

Install only if you are comfortable with the agent reading your local self-evolve request key and sending it to self-evolve.club for personal requests. Confirm before any username/profile update, and do not allow the full request key to be printed in logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to read a local plugin credential file and, if needed, inspect local configuration to find a custom key path. That expands the skill from simple remote stats retrieval into local secret discovery and use, which is dangerous because it can cause unauthorized access to sensitive credentials and then transmit them to a remote service.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill tells the agent to access a local credential file and extract a request key without an explicit user warning or consent step. Accessing sensitive local secrets in response to a general stats/profile request violates least privilege and can lead to unintended credential exposure and authenticated remote actions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The username update command performs a state-changing remote action that modifies account data, but the skill does not prominently warn that this changes the user's profile. Without a confirmation step, an agent could make unintended account modifications based on ambiguous or misinterpreted user input.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal