ClawHub

feynman-lobster

Security checks across malware telemetry and agentic risk

Overview

This learning skill is mostly purpose-aligned, but its local dashboard/API handles private workspace data with weak browser isolation and some under-disclosed side effects.

Install only if you are comfortable with this skill reading the project and note paths you provide, storing learning profile/memory files, and running a local progress panel. Avoid putting untrusted text, URLs, or resource titles into contracts until dashboard escaping is fixed, run the panel only when needed, and stop the local API/panel processes when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (24)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill advertises no explicit permissions, yet its instructions clearly invoke shell execution, file reads/writes, network/A2A interactions, and local service startup. This creates a transparency and consent problem: users and the host may underestimate the skill's real capabilities, increasing the chance of unexpected filesystem modification or service exposure.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The declared purpose is tutoring around a user's project, but the behavior includes hosting a web panel/API, reading and aggregating workspace data, mutating stored contract data, seeding demo content, and packaging/publishing logic. This mismatch is dangerous because users may provide sensitive code/notes believing the skill is only educational, while it also operates a broader local application surface with additional data handling and exposure risks.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill description says it helps by reading the user's code and notes, but the instructions also authorize persistent mutation of `contracts.json` and `contract-memory/{contract_id}.md`, including inserting and appending clauses. That scope expansion matters because it allows stateful changes to user/project data beyond the narrowly described teaching function, creating a consent and integrity risk if the agent updates files unexpectedly or incorrectly.

Context-Inappropriate Capability

Low
Confidence
81% confidence
Finding
The skill instructs the agent to read `USER_PROFILE.md` to build a learner profile, which is broader than the stated purpose of reading project code and notes to teach in context. Even if intended to personalize teaching, this increases privacy exposure by accessing potentially sensitive profile data without a clear need-to-know boundary.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script is documented and presented as a read-only local API bridge, but this code path silently rewrites contracts.json to remove demo entries whenever both demo and real contracts are present. Silent modification of user workspace data violates the stated trust boundary and can cause unexpected data loss or integrity issues, especially because it occurs during normal read operations.

Intent-Code Divergence

High
Confidence
94% confidence
Finding
The module-level documentation claims the service is read-only, but the implementation includes disk writes to workspace state. This mismatch is security-relevant because users and integrators may grant trust or expose the service under false assumptions, increasing the likelihood of unintended file modification.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The setup script automatically starts an additional local service and attempts to open a browser as part of installation, which goes beyond simple workspace initialization. Even though the action is local, unsolicited process spawning and UI launch can surprise users, expand attack surface, and trigger execution paths in another script without explicit consent.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Attempting to open a browser during setup is an unsolicited side effect not necessary for the stated educational purpose. This behavior can mislead users about what installation does, expose localhost services unexpectedly, and make it easier to hide additional behavior behind a seemingly harmless learning skill.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The page loads and displays `/profile` data for every contract detail view, exposing a broader user profile than the skill description implies. Even though the API is localhost, this still increases unnecessary data access and can surface privacy-sensitive information to anyone viewing the UI or any component able to influence/render that page.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The README shows broad natural-language triggers such as “我在做”, “我想学”, and “feynman”, which are likely to overlap with ordinary conversation and can cause unintended activation. In a skill that reads project paths, notes, and workspace state, accidental invocation increases the chance of unnecessary context collection or state changes without clear user intent.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The usage section describes examples of what users can say, but it does not clearly define activation boundaries, precedence, or when the skill should ignore similar phrases. Because the skill can write workspace files and read local resources, ambiguous activation conditions make unintended execution more risky than for a purely informational skill.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README states that the skill reads and writes workspace files and reads user project and note paths, but it does not present a centralized, explicit warning about privacy and local-data exposure. Users may not fully understand that sensitive code, notes, learning history, and profile data can be accessed and persisted, especially when combined with heartbeat-driven behavior.

Missing User Warnings

Low
Confidence
74% confidence
Finding
The initialization section says the panel will be started in the background and may open a browser automatically, but this behavior is not highlighted as a potentially surprising side effect. Even though it is local-only, automatic service startup and browser launching can violate user expectations and expand local attack surface if done without clear notice.

Vague Triggers

Medium
Confidence
88% confidence
Finding
Overly broad trigger phrases can activate the skill during ordinary conversation, causing unintended reads of project files, writes to contracts.json, or prompts to run local scripts. Because this skill has meaningful side effects and access to user materials, accidental invocation is more dangerous than in a purely informational skill.

Vague Triggers

Medium
Confidence
86% confidence
Finding
A single-word trigger is easy to match unintentionally in normal dialogue. In this skill's context, accidental activation can lead to state changes, resource registration, or instructions to launch local infrastructure, expanding the blast radius of a simple phrase collision.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The English trigger phrase is generic enough that routine discussion about learning contracts could invoke the skill unexpectedly. Since the skill can read project artifacts and manipulate structured state, unreliable activation creates privacy and integrity risks beyond mere UX annoyance.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The activation conditions are broad enough that the skill may trigger on common phrases like '我在做' or '我想学', causing it to engage when the user did not intend to invoke this workflow. In this skill, unintended activation is more sensitive because the flow then asks for local code, notes, and filesystem paths, which can lead to unnecessary exposure of private local context.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The instructions direct the agent to write to `contract-memory/{contract_id}.md` during normal use, but there is no explicit user warning or approval step for that persistent modification. Silent writes are dangerous because they can surprise users, create inaccurate records, and alter project state in ways the user did not knowingly authorize.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This section instructs the skill to read local resource paths, project files, notes, and `USER_PROFILE.md` without any user-facing disclosure at the point of access. That is risky because local notes and profile files may contain sensitive personal or proprietary information, and the user may not realize the agent is traversing them to generate questions.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The later sections authorize multiple persistent writes to `contracts.json` and `contract-memory/{contract_id}.md`, including status changes, attempt counters, inserted clauses, appended clauses, and completion records, again with no explicit warning or consent flow. This creates ongoing integrity and transparency risks because the agent can reshape the user's learning contract and stored history autonomously.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The API exposes sensitive local workspace content such as contracts, conversations, memory, and user profile over HTTP while allowing any web origin via Access-Control-Allow-Origin: *. A malicious website visited in the same browser context could read responses from the local service and exfiltrate private project and profile data without meaningful user awareness.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This code modifies contracts.json as a side effect of loading contracts, but there is no explicit user warning or consent that workspace files may be changed. Hidden mutation in a tool advertised as read-only is dangerous because it undermines user expectations and can irreversibly alter local state during routine use.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script launches a secondary script in detached mode and tries to open a browser without warning or confirmation, which is risky because it chains hidden actions during setup. This reduces transparency, makes review harder, and could be abused if the secondary script later gains more powerful behavior.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The interface fetches conversations, memory, and profile data from local APIs and renders them without a clear privacy notice or consent flow. Users may not realize that potentially sensitive project notes, learning history, and profile summaries are being pulled into the page, creating a transparency and privacy risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal