ClawHub

Repo2

Security checks across malware telemetry and agentic risk

Overview

This skill is a real self-evolution tool, but it has broad automated code-changing, background, update, and network behaviors that are not scoped clearly enough for safe default use.

Install only in an isolated, version-controlled workspace where autonomous code edits, session-log analysis, background loops, and external EvoMap/Hub communication are acceptable. Prefer review mode, disable auto-update and auto-publish unless intentionally needed, avoid exposing broad GitHub/ClawHub/API tokens, and do not run the lifecycle or skills-monitor repair helpers against untrusted skills.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (67)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill advertises capabilities that include environment and network access without declaring permissions, which undermines auditability and informed consent. In a self-modifying, autonomous skill, hidden access paths materially increase risk because the agent may exfiltrate data, fetch untrusted updates, or act externally without clear operator approval.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The documented purpose frames the skill as runtime-history analysis and protocol-constrained evolution, but the detected behavior includes broad network coordination, task claiming, publication, git release flows, package rewriting, auto-updates, daemon management, and public distribution. This mismatch is dangerous because operators may grant trust appropriate for a local analysis tool while the skill actually performs high-impact autonomous software supply-chain and network actions.

Context-Inappropriate Capability

Low
Confidence
81% confidence
Finding
Automatic detection of local skills and behavior upgrades expands trust boundaries across the workspace, which can create unexpected cross-skill interactions or privilege propagation. In an agent environment, opportunistically binding to other skills can let unreviewed local components influence reporting or execution paths, increasing the attack surface.

Intent-Code Divergence

High
Confidence
93% confidence
Finding
The security model claims `src/evolve.js` only performs read-only git/process queries, yet earlier documentation says the system autonomously writes code patches and artifacts to optimize itself. This inconsistency can mislead operators about the write/modify capabilities of the skill, causing them to grant trust or automation approval under false assumptions; in a self-modifying agent, that materially increases the risk of unauthorized or unsafe code changes.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The code can respawn itself as a detached background process and immediately exit, creating persistence-like daemon behavior that is broader than simple one-shot evolution logic. In an agent skill context, this is dangerous because it can evade normal lifecycle controls, continue operating without supervision, and make termination or auditing harder.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script copies arbitrary repository paths from public.manifest.json into a public output directory, applies rewrites, and only blocks docs/ and memory/ afterward. Because there is no positive allowlist or robust path containment check for manifest entries and rewrite targets, a malformed or adversarial manifest could package unintended sensitive files into the public distribution, which is especially risky in a self-evolving skill where repository contents may change over time.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
This script performs end-to-end release and publication actions: pushing branches and tags, creating GitHub releases, cloning and rewriting a public repository, and publishing artifacts to ClawHub. Those capabilities are materially broader than the declared purpose of a runtime-history-based self-evolution engine, so in an agent skill context they create an unjustified exfiltration and supply-chain modification path if invoked by the agent or an operator without full awareness.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The file includes direct external publication features for GitHub and ClawHub, including authenticated API calls and CLI-based release creation. In the context of a self-evolution skill, these outbound distribution functions are dangerous because they enable code/artifact publication to external services unrelated to the stated analysis/evolution purpose, increasing the risk of unauthorized release, data leakage, or supply-chain abuse.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
This section clones a remote GitHub repository, deletes its contents except .git, copies in build artifacts, commits, and pushes to the remote branch. That is a powerful repository-rewrite workflow that can overwrite public content and propagate unintended or malicious artifacts; within this skill's declared context, it is especially dangerous because repository republishing is outside the expected self-evolution function and could be triggered as a hidden side effect.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill's stated purpose is runtime-history analysis and protocol-constrained evolution, but this block independently performs remote package/skill updates by invoking the ClawHub CLI with force-update semantics. That expands the trust boundary from local analysis into autonomous code acquisition and modification, creating supply-chain and unexpected code-execution risk if the registry, package, or update path is compromised.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code executes process.env.INTEGRATION_STATUS_CMD via execSync, which is arbitrary shell execution sourced from environment state. Any attacker who can influence the process environment, wrapper config, or launch context can run commands with the agent's privileges, making this a direct command-injection primitive.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This block performs autonomous external package updates unrelated to the narrow evolution function, and does so by running update commands that can alter installed skills on disk. In a self-modifying agent, this is especially dangerous because it can introduce unreviewed behavior changes and compound compromise through upstream package tampering or malicious updates.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Hello messages automatically include an environment fingerprint, which can expose host-specific characteristics to a hub or peer without clear minimization or consent. In a self-evolving agent context, this creates unnecessary host profiling risk and can aid tracking, environment inference, and targeting of follow-on attacks.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The module derives a stable node ID from device-specific data, agent name, and working directory, then persists it across runs. This enables durable host correlation and tracking, and because getNodeId() is also used as the fallback HMAC secret, exposure or predictability of the identifier can weaken message authenticity assumptions.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The code derives a stable identifier from host-level attributes such as /etc/machine-id, macOS IOPlatformUUID, container IDs, hostname, and MAC addresses, then persists it for reuse. For a skill described as runtime-history-based self-evolution, this creates unnecessary fingerprinting and enables cross-run/cross-directory tracking of the host or container beyond what users would reasonably expect.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The implementation maintains persistent node identity through host fingerprinting and local storage, while the stated skill purpose emphasizes runtime-history evolution rather than device tracking. That mismatch is security-relevant because it hides persistent identification behavior inside a capability where users may not anticipate host fingerprint collection or durable identity correlation.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
This code makes outbound requests to a hub service and then feeds the returned assets into the evolution flow as reusable solutions. That expands the trust boundary from purely local runtime-history analysis to remote, untrusted content, creating supply-chain and prompt/data-injection risk if the hub is compromised, malicious, or misconfigured.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The module reads environment variables to determine a remote hub URL and reuse behavior, allowing externally supplied configuration to direct outbound network access and influence evolution decisions. In an agent skill, this can enable silent data egress or remote influence over behavior if the environment is attacker-controlled or insufficiently constrained.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The adapter can transmit runtime memory-graph data to an external service when the remote provider is enabled, which expands the trust boundary beyond the local self-evolution engine. Because the data contents may include signals, observations, hypotheses, and other behavioral history, this creates a real confidentiality and governance risk if operators enable the remote mode without explicit review.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The code reads a remote URL and bearer token from environment variables and performs authenticated POST requests to a SaaS endpoint. That is not inherently malicious, but in this skill context it means privileged runtime data can be sent off-host to any configured destination, including an attacker-controlled URL if environment configuration is compromised.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This prompt builder goes beyond passive analysis and actively instructs the downstream agent to modify code, run validation, execute solidify, report status, and manually create files. In a self-evolving agent, embedding operational authority in prompt text materially increases the chance of unintended autonomous changes, especially when combined with broad context injection and limited external approval gates.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The code captures an environment fingerprint and embeds it into the model prompt, expanding the prompt with host-specific operational metadata not clearly required for 'analyzes runtime history to identify improvements.' This creates unnecessary data exposure to the model and can help tailor harmful mutations or environment-aware exploitation if the prompt or model is compromised.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The prompt includes arbitrary environment-sourced values such as EVOLVE_HINT and WORKSPACE_DIR directly in behavioral instructions and file-writing paths. This creates a prompt-injection and path-influence channel where external environment configuration can steer model behavior, induce sensitive disclosure, or cause writes to unintended locations.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The file's stated role is local 'solidify' of self-evolution state, but it also performs outbound Hub publication and task completion over the network. That broadens trust boundaries substantially: local runtime history, capsules, events, failure reasons, and derived metadata can be transmitted externally, creating data exfiltration and remote coordination risk if the Hub is misconfigured, compromised, or attacker-controlled.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The code executes shell commands via execSync using string commands, and later feeds it validation commands derived from gene data and many git inspection commands. Even though validation commands have a partial allowlist, this still creates command-execution attack surface, especially if untrusted gene content or environment-controlled parameters influence commands, and it grants the skill powerful local repository manipulation capability.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal