ClawHub

Solo

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly an audit/meta-agent framework, but it also includes under-disclosed credentialed upload and persistent automation behavior that users should review before installing.

Install only if you trust the publisher and are comfortable with an agent framework that can maintain persistent audit state, interact with cron-style workflows, and potentially upload local Markdown/text content to an external IMA knowledge base using API credentials. Before use, require explicit confirmation for any upload or external push, restrict which paths may be read or written, and review the generated audit/status files regularly.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (8)

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
Although the file claims the MEV layers are only design guidance and not a runtime-enforced framework, it also uses imperative language such as 'auto-activated', 'must pass', and explicit command execution requirements. In an agent skill, that ambiguity is dangerous because downstream agents may treat advisory text as binding operational instructions and execute tools or scripts without clear user intent or security review.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The document's top-level safety rule says external writes require user confirmation, but later mandates uploads via `node scripts/ima-upload.cjs` and cron delivery behavior. Conflicting instructions inside a skill can cause an agent to bypass its own safety gate by following the later mandatory workflow, resulting in unauthorized data transmission or persistent automated actions.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The script reads API credentials from environment variables and uses them to upload arbitrary local file contents to an external knowledge-base API via a spawned helper script. In the context of a skill described as a meta-agent/auditing component, this undisclosed data-transfer capability increases the risk of covert exfiltration of local data and secret misuse, especially because the actual network logic is delegated to another file outside the current script.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The manifest presents the skill as a meta-agent/auditing architecture, but this file implements direct file ingestion and upload to an external knowledge base. That mismatch is security-relevant because users and reviewers may grant the skill trust or access based on the declared purpose, while the code can transmit local content elsewhere, enabling unexpected data exfiltration under misleading packaging.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The on-demand trigger rule says a specific operator can directly trigger powerful skills, but it does not define authorization checks, approval conditions, scope limits, or audit requirements for those manual invocations. In a meta-agent that can launch other skills and interact with external sources, vague activation semantics increase the risk of unintended or unauthorized execution.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill requires updating `.solo/pipeline-status.json` at each stage, which is a persistent local file modification, but the documentation provides no user-facing disclosure or consent boundary for that write. Silent workspace mutation is risky because it can overwrite local state, create misleading status artifacts, or be abused by chained skills that treat this file as trusted control data.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill mandates appending audit proposals and execution signatures to persistent audit artifacts, but it does not warn users that state will be retained across runs. Persistent writes are dangerous in this context because they can accumulate sensitive operational metadata, poison future audit decisions, and create durable side effects that outlive the initiating task.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill explicitly instructs the agent to write audit artifacts and propose updates to persistent files, but it does not include any user-facing consent, approval gate, or runtime warning before modifying stored state. In an agent setting, even limited writes can create integrity and persistence risks, especially if audit outputs or learned rules later influence future behavior.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal