ClawHub
Back to skill

Security audit

my-test

Security checks across malware telemetry and agentic risk

Overview

This skill is not destructive, but it can persist conversation-derived details and future-agent instructions too broadly without enough privacy and scoping controls.

Install only if you intentionally want persistent agent memory. Keep .learnings private or gitignored, do not store secrets, tokens, raw prompts, customer data, stack traces, or environment dumps, and manually review any promotion into AGENTS.md, SOUL.md, TOOLS.md, CLAUDE.md, MEMORY.md, or Copilot instruction files. Enable hooks only after reviewing the scripts and narrowing their matchers to the projects and prompts where you actually want them active.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (13)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The document makes a materially misleading security claim: it says the scripts only output text and do not modify files or run commands, yet earlier it instructs users to run `extract-skill.sh`, which is described as creating a skill scaffold. Misstating the behavior and safety properties of hook scripts can cause operators to grant trust and enable them without appropriate review, increasing the chance of unintended file writes or execution under the agent's privileges.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The activation guidance is broad enough to match many ordinary interactions such as corrections, feature questions, and workflow discussions. In an agent setting, overly broad triggers can cause unnecessary invocation and increase the chance of logging or persisting conversational content that was never meant to be stored.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The listed trigger phrases like user corrections and capability questions are common in normal conversation, so they may spur automatic logging without meaningful user intent. Because this skill writes durable records, over-triggering increases the risk of retaining sensitive prompts, mistakes, or personal context unnecessarily.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill repeatedly instructs the agent to append detailed learnings, errors, and user corrections into persistent markdown files, but it provides no privacy warning, data minimization rule, or secret-handling guidance. This creates a realistic risk that tokens, credentials, personal data, or sensitive business context are written to disk and later committed or shared.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Using an empty matcher causes the hook to fire on every prompt, which broadly injects behavior into all agent interactions with no scope limitation. In a self-improvement skill, this expands the attack surface for prompt-triggered persistence and can unintentionally influence unrelated tasks or propagate adversarial content across sessions.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The user-level configuration applies the empty matcher globally, so the hook executes for every prompt across all projects. This is more dangerous than project-local scope because it creates cross-project persistence and can leak influence from one context into unrelated repositories or sensitive workflows.

Vague Triggers

Medium
Confidence
88% confidence
Finding
Although presented as 'minimal,' this setup still uses an empty matcher and therefore activates on every prompt. Reduced overhead does not reduce the core risk: unconditional triggering can bias all sessions and make the skill persistently active outside intended error-handling scenarios.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The Codex CLI example mirrors the same unconditional empty matcher pattern, causing universal activation for all prompts in that environment. Because hooks run commands, broad trigger scope increases the chance of unintended execution and context contamination in routine use.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This documentation encourages persisting learnings into workspace files and promoting them into long-lived prompt/context files without any warning about secrets, personal data, or sensitive operational details. In an agent system with workspace prompt injection, this can turn transient sensitive content into durable context that is repeatedly re-exposed across future sessions.

Ssd 3

Medium
Confidence
96% confidence
Finding
The core workflow encourages storing user corrections, failures, and conversation-derived learnings in durable files for future reuse. Without scoping what may be retained, this normalizes persistence of potentially sensitive user-provided content and creates a memory-retention risk beyond the original session.

Ssd 3

Medium
Confidence
94% confidence
Finding
The cross-session features explicitly support reading transcripts and sending learnings between sessions, which can propagate sensitive content far beyond its original context. In multi-agent environments, this materially increases the blast radius of accidental disclosure because one session's private information can be surfaced to others through natural-language summaries or transcript access.

Ssd 3

Medium
Confidence
97% confidence
Finding
The logging templates ask for full context, input parameters, user context, and actual error output, which are common places for secrets, PII, and internal system details to appear. Because the target is a durable markdown log, this can turn transient sensitive data into persistent and potentially shareable records.

Ssd 3

Medium
Confidence
95% confidence
Finding
The promotion workflow directs conversation-derived learnings into permanent agent context files like CLAUDE.md, AGENTS.md, and similar memory artifacts. This elevates temporary session content into long-lived behavioral context, making accidental retention of sensitive or user-specific information more systemic and harder to remove.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal