ClawHub

Dmn Default Mode Network

Security checks across malware telemetry and agentic risk

Overview

This documentation-only skill is not overtly malicious, but it asks an unattended agent to read private notes, write persistent files, and feed future self-evolution work without clear approval gates.

Install only if you intentionally want an unattended reflective agent that can read your configured memory and knowledge-base files and write persistent outputs. Keep it manual at first, restrict configured directories to non-sensitive notes, inspect synthesis files and memory/evolve/candidates.md, and require explicit approval before any proposed install, repo clone, script, skill change, or self-evolve action runs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (16)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The manifest and top-level description frame the skill as passive background reflection, but the body expands it into an agent with full host control that can write code, install tools, and create projects. This is a dangerous scope escalation because an automatically triggered background skill could perform system-impacting actions without a clear, contemporaneous user request or approval boundary.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Granting a 'background thought' skill unjustified host-control capabilities violates least privilege and creates a path for unauthorized code execution, package installation, filesystem changes, and persistence. In context, the danger is amplified because the skill is designed to run automatically and silently, so harmful actions may occur without active oversight.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The template for an internal idle-time thinking skill explicitly pushes the agent from reflection into immediate code and engineering actions, including creating scripts and cloning repositories. This materially expands the skill from passive synthesis into autonomous execution, creating a path for unintended system changes or external interactions without a clear user trigger or scoped authorization.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The template directs the agent to append a summary to `memory/evolve/candidates.md` as part of normal output generation, introducing a file-writing side effect unrelated to simple session synthesis. Silent persistence to local memory/log files can be abused to plant prompts, influence future behavior, or modify state without explicit user awareness.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill is described as an idle-time internal reflection and knowledge-deepening system, but this section explicitly instructs it to convert insights into 'Agentic Action Proposal' items for host-permission code-level validation. That expands the scope from passive cognition into operational planning for privileged actions, creating a pathway for autonomous or later-triggered host-impacting behavior without clear user authorization boundaries.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The workflow explicitly requires the DMN to generate concrete host-level technical action proposals such as installing projects, writing demo code, or creating scripts, which exceeds passive reflection and moves into operational autonomy. Combined with automatic handoff into future execution queues, this creates a pathway from internal reasoning to real-world system changes without an explicit approval gate.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The document frames the DMN as acting 'as an OpenClaw Agent with full control of the host,' normalizing privileged behavior and encouraging proposals that assume unrestricted system access. Even if phrased as simulation, this instruction biases the agent toward high-risk system-changing actions that would be dangerous in an autonomous background process.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The example trigger phrase, 'Think about [topic] tonight,' is broad natural language that can easily overlap with ordinary conversation and unintentionally invoke autonomous background behavior. In the context of a skill designed to think and generate action proposals while the user is away, accidental activation increases the chance of unsupervised processing and downstream proposal generation without explicit informed consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly markets autonomous background operation, host-access action proposals, and unattended execution while the user sleeps, but does not provide a clear warning about operational risk, required permissions, or execution constraints. In this skill's context, that omission is dangerous because users may enable a capability that influences system actions or future execution pipelines without understanding the potential impact on their host, data, or agent behavior.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Broad, underspecified auto-trigger conditions for a silent background skill increase the chance of unexpected execution and make it difficult to enforce policy boundaries. Because this skill also contemplates privileged engineering actions, vague triggering materially raises the risk of unintended system modifications.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill advertises host-privileged actions such as installing tools and creating projects without a clear warning, consent model, or operational safeguards. In a background/autonomous context, this can mislead operators about the true risk profile and lead to silent system changes with security, stability, and supply-chain consequences.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill tells the agent to append to a local log file without any warning, consent checkpoint, or disclosure that local files will be modified. This undermines user expectations and safe operation because an ostensibly reflective skill performs persistent state changes behind the scenes.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill mandates multiple local file writes, including output notes, synthesis files, state files, and evolution queue entries, but does not present this as a consented side effect to the user. Silent persistence in an autonomous background workflow can alter the local environment, create audit and privacy issues, and make later automated behaviors depend on data the user did not knowingly approve.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The workflow includes push notifications containing synthesis summaries and action plans without documenting any consent, channel controls, or sensitivity restrictions. In an autonomous system, even summary notifications can leak private internal content or create unexpected user-facing behavior.

Ssd 1

Medium
Confidence
99% confidence
Finding
The template frames the agent as having 'full host control' and asks what immediate code or engineering action it can take based on its prior reasoning. In the context of an idle/background default-mode skill, this is especially dangerous because it normalizes broad authority and encourages autonomous system-level actions without an explicit user request, greatly increasing the risk of unauthorized execution, file changes, or network activity.

Ssd 3

Medium
Confidence
95% confidence
Finding
Appending AI capability and workflow proposals into a persistent evolution queue allows content derived from prior sessions, notes, and user context to be carried forward into later runs. This can leak sensitive context across task boundaries and can also seed future self-modifying or system-changing behavior from unreviewed autonomous output.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal