ClawHub

RUNE Prompt Amplification

Security checks across malware telemetry and agentic risk

Overview

This prompt-amplification skill may do what it claims, but it runs unreviewed external code and broadly loads local secrets before processing user prompts.

Review this before installing. Only use it if you trust and have inspected the external RUNE repository and know what service RUNE_API_KEY accesses. Prefer exporting only RUNE_API_KEY for a single run instead of letting the script source ~/.secrets, do not process sensitive prompts until the data flow is clear, and pin or verify the local wand.py dependency.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script loads $HOME/.secrets and requires RUNE_API_KEY even though the skill is presented as a local prompt-transformation utility. This creates unnecessary access to user secrets and strongly suggests the prompt may be sent to an external service, exposing sensitive user input and widening trust beyond the skill itself.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill delegates core behavior to an external repository path (/Users/.../rune/wand.py) rather than implementing the advertised functionality within the skill. That external code is outside the reviewed artifact, so users cannot reliably assess what will happen to their prompts, secrets, or environment when the skill runs.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The description is so broad that it can match almost any prompt-transformation request, increasing the chance the skill is auto-selected in contexts where users did not intend to invoke a tool with external dependencies and secret usage. Overbroad activation increases the attack surface because a seemingly harmless request could trigger repository-backed execution or API-backed processing without clear user awareness.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The requirements instruct users to place RUNE_API_KEY in ~/.secrets but provide no warning that this is sensitive credential material. This is risky because it normalizes secret handling without explaining permissions, sourcing behavior, or the possibility that downstream scripts or repositories may read and misuse that credential.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The setup command appends an API key export directly into ~/.secrets, modifying a credential store file without any warning or safeguards. This can lead to accidental persistence of secrets in an insecure location, shell-history exposure during setup, and unreviewed consumption of the key by other tools or scripts on the system.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Sourcing $HOME/.secrets silently imports arbitrary shell content from a user dotfile, with no warning about what variables or commands may be brought into the current process. This is dangerous because it couples the skill to unrelated sensitive material and can execute shell code from that file in the skill's context.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script passes the full user prompt to wand.py after loading an API key, without any explicit disclosure that the content may be processed by an external tool or remote API. If users provide proprietary, personal, or regulated text, this can result in unintended data exfiltration or privacy violations.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal