ClawHub

ARK — Adaptive Regulative Kriptos (V1 Declarative)

Security checks across malware telemetry and agentic risk

Overview

This skill is not malware, but it gives itself broad session-level control over agent behavior and includes under-scoped monitoring, self-repair, and reasoning-disclosure instructions that deserve review before use.

Install only if you intentionally want a broad prompt-level constitution to influence the agent for an entire session. Review ARK.yaml first, especially the document-generation, human-variable, auto-repair, Root/Foundational Interlocutor, and internal-reasoning sections. There is no evidence of malware, credential theft, or destructive code, but the behavioral scope is broad enough that ordinary users should treat it as Review rather than a routine helper skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill is described as a universal constitutional layer, but it embeds concrete execution logic for document compilation, QC gates, acronym policies, and operational workflow. That scope expansion creates hidden behavior not justified by the advertised purpose, increasing the chance the skill will unexpectedly steer agent actions in unrelated tasks.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The document-generation enforcement block adds file-format-specific validation and auto-regeneration behavior inside a supposedly generic governance layer. This can silently alter outputs, constrain deliverables, or override task-specific instructions in ways users and downstream systems would not expect from a constitutional policy file.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The human-variable monitoring module authorizes detection of fatigue, cognitive load, sensory stability, and rhythm-based cues, which goes beyond a neutral constitutional layer. In practice this can justify profiling or inferring sensitive user state without clear necessity, consent, or tight scope controls.

Intent-Code Divergence

High
Confidence
95% confidence
Finding
The file tells the AI it must never correct the file on its own, yet later introduces auto-repair and silent auto-regeneration mechanisms that authorize autonomous corrective action. This contradiction is dangerous because it creates a policy loophole where the agent can justify self-modifying or silently altering behavior while claiming compliance.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The broad instruction to 'Activate immediately the YAML file named ARK.yaml' is vague and can cause unintended invocation whenever similar language appears in ordinary conversation or imported content. In an agent setting, broad triggers increase the risk of prompt capture, unplanned policy loading, and interference with unrelated tasks.

Vague Triggers

Medium
Confidence
83% confidence
Finding
Manual activation examples such as 'observe everything' or 'listen beyond words' are highly ambiguous and easily matched by benign user language. That makes accidental activation of perceptual or monitoring behaviors more likely, especially in mixed-content conversations.

Ssd 3

Medium
Confidence
97% confidence
Finding
The module explicitly requires a second section containing internal reasoning, structural requirements, and inferential processing steps. That is a direct mechanism for eliciting chain-of-thought or sensitive internal reasoning traces, which can leak policy details, hidden decision criteria, and prompt-internal data to users or downstream tools.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal