ClawHub

lua

Security checks across malware telemetry and agentic risk

Overview

The package is advertised as a Lua helper, but the installed artifacts are a self-improvement system with hooks and persistent memory guidance, so it needs review before use.

Do not install this as a Lua skill unless you intentionally want the bundled self-improvement workflow. If you do install it, review and explicitly opt into any hooks, avoid user-level/global hook activation, and do not store secrets, credentials, personal data, raw transcripts, or sensitive project details in .learnings or promoted prompt files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The document states that the scripts 'only output text' and 'don't modify files or run commands', but the configuration explicitly registers shell scripts as hook commands. This is dangerous because it downplays the trust boundary: any configured hook executes as a local command with the user's permissions, so readers may enable it without appropriately reviewing or sandboxing the scripts.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The activation guidance is broad enough to match ordinary conversational turns such as corrections, wishes, or feature questions. In practice this can cause over-activation, unnecessary logging, and collection of content the user did not intend to store persistently.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The listed detection phrases are generic everyday language and are treated as automatic logging triggers without meaningful contextual checks. This raises the risk of unintended activation and durable storage of sensitive conversational content based on ambiguous wording alone.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The template tells authors to include trigger conditions, but it does not require concrete activation boundaries, exclusions, or specificity. In an agentic system, vague trigger language can cause over-broad skill invocation, making the skill fire in unintended contexts and increasing the chance that risky guidance, scripts, or operational behavior is applied when it should not be.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The minimal template's description field allows very broad 'what this skill does and when to use it' wording without enforcing narrow invocation criteria. Because this repository is for self-improvement skills that may later be consulted before major tasks, an overly general description can cause accidental activation across many sessions, propagating incorrect, stale, or unsafe guidance more widely than intended.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation directs users to persist learnings to workspace files and promote them across shared context files, but it does not warn against storing secrets, personal data, credentials, or sensitive operational details. In a system built around prompt injection from workspace files, this can cause sensitive data to be repeatedly surfaced to future sessions or other agents, increasing unintended disclosure risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The cross-session history and messaging features are presented as normal workflow tools without any caution that transcripts and messages may contain sensitive user, system, or credential material. Because these features enable movement of information between sessions, they expand the blast radius of any sensitive content captured in one session.

Ssd 3

Medium
Confidence
88% confidence
Finding
The skill encourages retaining corrections, errors, and other user-provided context in durable markdown files for future sessions. Persistent natural-language storage creates a straightforward privacy and data-minimization risk because sensitive information may be copied into files outside the immediate interaction.

Ssd 3

Medium
Confidence
90% confidence
Finding
The quick-reference table directs the agent to log user corrections and missing-feature requests directly into persistent files. Those categories often contain private project details, proprietary requirements, or personal information that should not be copied verbatim into long-lived notes.

Ssd 3

High
Confidence
95% confidence
Finding
The skill explicitly promotes reading other session transcripts and sending learnings between sessions, which expands the audience and lifetime of conversational data. That materially increases the chance of unauthorized disclosure of sensitive user content, especially if sessions span different tasks, users, or trust boundaries.

Ssd 3

High
Confidence
96% confidence
Finding
The logging templates ask for full context, inputs, parameters, environment details, and user context, which strongly encourages copying potentially sensitive material into durable files. This is a classic data leakage pattern because secrets, tokens, internal paths, customer data, or proprietary prompts may be preserved in plain text.

Session Persistence

Medium
Category
Rogue Agent
Content
### Option 1: Project-Level Configuration

Create `.claude/settings.json` in your project root:

```json
{
Confidence
78% confidence
Finding
Create `.claude/settings.json` in your project root: ```json { "hooks": { "UserPromptSubmit": [ { "matcher": "", "hooks": [ { "type": "command",

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal