ClawHub

Superpower with Files

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it deserves Review because it can persist project work logs and surface prior local AI conversation history with limited scoping and consent.

Install only if you are comfortable with a workflow that writes persistent project memory files and may inspect prior local AI session history for recovery. Keep .superpower-with-files out of commits when it may contain sensitive information, review generated git/PR actions before allowing them, and avoid using this skill in repositories containing secrets unless you have clear redaction and consent practices.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (45)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill advertises a broad coding workflow but does not declare permissions even though it appears capable of reading environment data and reading/writing files. Hidden or undeclared capabilities reduce user awareness and consent, which can enable unintended access to local data or filesystem modification when the skill is invoked.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
There is a significant mismatch between the stated purpose and the broader behaviors detected, including reading prior local AI session logs, inspecting IDE data directories, syncing files across folders, and shipping extra utilities. This expands the trust boundary beyond normal planning/TDD workflows and can expose sensitive local history, editor metadata, or repository contents without clear user expectation.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The unified-extension block overrides earlier documented behavior by changing output paths and the required follow-on skill name, creating conflicting instructions inside the same skill. In an agentic system, this can redirect where persistent artifacts are written and alter control flow, increasing the chance of unauthorized file writes, misrouting of plans, or policy bypass through instruction shadowing.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The skill contains contradictory instructions about whether Option 2 should clean up the worktree. An agent following the wrong section could remove a worktree after pushing a PR, potentially deleting a user's active workspace or uncommitted local context and causing workflow disruption or data loss.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The quick reference table says Option 2 keeps the worktree, while Step 5 says cleanup applies to Options 1, 2, and 4. In an automation skill that issues git commands, this inconsistency can cause unintended worktree removal after PR creation, risking loss of local state and confusing or destructive branch management.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill’s stated purpose is evaluating and responding to code review feedback, but it additionally requires persistent logging into `.superpower-with-files/`. That expands the skill from analysis into project file mutation and creates an unscoped side effect unrelated to the core task, which can lead to unauthorized writes and retention of sensitive review context.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The GitHub API instruction adds an external action capability—posting review replies—that is not necessary for merely receiving and evaluating review feedback. This increases risk because the skill can cause network-side effects and communicate externally without a clear authorization boundary tied to the user’s request.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The skill gives conflicting safety-critical workflow instructions: it first requires using an isolated git worktree, then later says context independence means no dedicated worktree is required. In an execution-oriented skill, that contradiction can cause the agent to run implementation steps directly in the main checkout, increasing the chance of unintended modification to protected branches or sensitive project state.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The skill claims the agent's sole responsibility is to execute the plan exactly, but later mandates editing multiple project memory files such as progress.md, findings.md, and handoff.md. This hidden expansion of scope can cause unplanned writes outside the implementation plan, making it easier for a crafted plan or repository layout to induce unexpected file modifications.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The skill gives contradictory instructions about whether it must run in a dedicated worktree or can run in any project root. This can cause an agent to choose the less isolated path and operate directly in a production repository, increasing the chance of unintended edits, destructive commands, or leakage across branches and contexts.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The file first mandates saving plans under docs/plans/YYYY-MM-DD-<feature-name>.md, then later says legacy docs/plans instructions should be ignored in favor of .superpower-with-files/active_tdd_plan.md. Conflicting persistence targets are dangerous because an agent may write sensitive implementation details, file paths, commands, or internal plans to unintended locations, break downstream tooling, or overwrite an active plan file unexpectedly.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The skill requires exact code and commands in the main plan, but later instructs that for non-simple projects those details must be moved into separate guide files. This ambiguity can make an agent duplicate sensitive or executable content across multiple files, omit critical details from the main plan, or create inconsistent artifacts that a later execution skill interprets incorrectly.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The handoff message claims the plan was saved to docs/plans/<filename>.md even though later instructions say the default location is .superpower-with-files/active_tdd_plan.md. This can misdirect users and follow-on agents to the wrong file, causing stale-plan execution, missed review, or accidental use of outdated instructions.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The skill first declares isolated worktrees as REQUIRED, then later instructs operators they are not restricted to dedicated worktrees. In a code-modifying workflow, this contradiction can cause execution in the wrong repository or branch, increasing the chance of unintended file changes, branch contamination, or unsafe operations on the user's primary workspace.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The skill is presented as a same-session subagent orchestration workflow, but later adds mandatory persistent-memory behaviors such as loading plans from framework files and updating progress logs. This expands the skill's operational scope beyond what the description signals, which can surprise users and cause unauthorized reads/writes to framework-managed files during normal development tasks.

Context-Inappropriate Capability

Low
Confidence
84% confidence
Finding
The skill mandates writes to `.superpower-with-files` memory artifacts like `progress.md` and timestamp updates even though its stated purpose is task dispatch and review. Unnecessary mandatory writes increase the attack surface for unintended data persistence, noisy modifications, and leakage of test output or project details into framework files unrelated to the user's immediate request.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
This scenario frames the debugging skill as a rigid process that must delay mitigation, then pressures the user toward making a production code change immediately under financial and social pressure. That combination can manipulate operators into bypassing safe incident-response judgment and normal deployment safeguards, especially when the suggested fix is based on an anecdotal memory rather than validated diagnosis.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README advertises persistent file logging and automatic routing of AI-generated plans, findings, and progress without warning users that potentially sensitive project data, prompts, or internal reasoning artifacts may be written to disk. In a coding-agent skill, this increases the chance of unintentionally persisting secrets, proprietary code context, or sensitive debugging output in locations that may later be committed or exposed.

Missing User Warnings

High
Confidence
97% confidence
Finding
Claiming that progress is synced to Git Pulse automatically, without disclosing what is transmitted or requiring explicit informed consent, creates a meaningful data exfiltration risk. In the context of an agent skill that operates on source repositories, this could expose source code metadata, task details, filenames, commit-related activity, or other sensitive development information to an external service.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The guidance says to use the skill when starting any coding project or for a wide range of development tasks, which is overly broad for a skill with file and environment capabilities. Broad invocation criteria increase the chance the skill is triggered in contexts where its side effects or data access are unnecessary, leading to avoidable exposure or workspace changes.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script prints prior user and assistant conversation content from stored session files directly to stdout, including cross-session context, without an explicit privacy notice, consent gate, or content minimization. In a shared terminal, logging pipeline, screen recording, or multi-user environment, this can expose sensitive prompts, file paths, secrets, and prior assistant outputs to unintended viewers.

Vague Triggers

Medium
Confidence
92% confidence
Finding
Requiring this skill before 'any creative work' or behavior modification gives it an extremely broad activation scope, causing the agent to interpose planning and repository-inspection behavior into many unrelated requests. That broad trigger can unnecessarily expand access to project files, delay user intent, and force downstream actions not actually needed for the task.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The statement that every project must go through this process creates an unconditional gate that can coerce the agent into unnecessary design, questioning, documentation, and handoff steps regardless of user needs. In practice this can be exploited as workflow hijacking: simple asks are transformed into mandatory multi-step interactions and persistent changes.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The checklist instructs the agent to write a design document and commit it, but it does not clearly disclose that this creates persistent filesystem and git-history changes. Users may invoke the skill expecting planning assistance only, while the agent silently modifies the repository and records irreversible history.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The documentation section operationalizes file creation and committing without an explicit consent checkpoint or warning about persistent side effects. This is dangerous because it normalizes durable repository changes as part of routine brainstorming, which can leak sensitive design notes, pollute history, or violate user expectations about non-destructive assistance.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal