ClawHub

teammate.skill

Security checks across malware telemetry and agentic risk

Overview

This skill is not overtly malicious, but it can collect, persist, export, and impersonate sensitive coworker communications without enough consent, scoping, or review safeguards.

Install only with clear organizational approval and, where required, the teammate's consent. Use least-privilege Slack and GitHub scopes, narrow channel/repo/date selection, avoid private messages and regulated or HR/customer data, review generated SKILL.md files before global installation, run the privacy scan before sharing, and do not use --include-knowledge unless you intend to package raw source data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (40)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
Including `/delete-teammate` with `rm -rf teammates/{slug}` introduces destructive capability beyond core creation/distillation behavior. Even with a 'Confirm' note, unvalidated path parameters or user confusion could lead to irreversible deletion of stored artifacts.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill goes beyond generating files and automatically copies a generated skill into global agent skill directories, effectively modifying the runtime's persistent trusted surface. Auto-installation of derived content is risky because the generated skill may contain sensitive material or unsafe instructions and becomes callable later without renewed review.

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The module docstring states that exports contain only generated skill files and not raw knowledge/source data, but the implementation supports `--include-knowledge` and packages all files under `knowledge/`. This mismatch can cause operators to trust the tool as privacy-safe and unintentionally export personal messages, PII, or other sensitive source material, which is especially risky in a skill designed to distill teammate data from Slack/Teams/GitHub.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This section instructs users to create a Slack app with broad read scopes and collect messages, threads, and reactions, but it does not warn that this may capture private or regulated workplace communications or require consent and authorization. In the context of a skill designed to 'distill a teammate' by harvesting communications, the omission materially increases the risk of privacy violations, insider misuse, and unauthorized surveillance.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The GitHub collector guides users to create a PAT and collect PRs, reviews, commits, and issue comments without warning that this can expose proprietary code discussions, security fixes, secrets in comments, or private repository metadata. Because the skill's purpose is knowledge extraction from a teammate, this creates a meaningful risk of over-collection and unauthorized processing of sensitive engineering data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
These instructions cover exporting email, Teams, Notion, Confluence, JIRA, and Linear data, all of which commonly contain confidential business, HR, legal, customer, and personal information, yet there is no privacy, consent, or authorization warning. In this skill context, the lack of safeguards around bulk export and parsing of enterprise data makes misuse and accidental policy violations substantially more likely.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README encourages ingesting highly sensitive sources such as Slack messages, emails, meeting notes, and internal documents to model a coworker, but it does not present an upfront warning about consent, authorization, data minimization, or employer policy constraints at the point of collection. In this skill’s context, that omission is dangerous because the core workflow is mass collection and processing of private communications, which materially increases the risk of privacy violations, unauthorized surveillance, and accidental capture of secrets or regulated data.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The documented `/delete-teammate {slug}` command is destructive, yet the README does not warn that it may permanently remove generated skill artifacts, metadata, or version history. In a tool built around accumulating knowledge and iterative updates, silent destructive operations increase the chance of accidental loss and make operator mistakes more costly.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README encourages ingesting Slack messages, emails, meeting notes, and other human-generated sources that commonly contain personal data, confidential business information, and secrets, but it does not present a prominent upfront privacy/consent warning at the point where collection is introduced. In a skill explicitly designed to "capture" a coworker into an AI artifact, omission of clear consent, data minimization, and authorization guidance materially increases the risk of privacy violations and unauthorized processing.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation advertises automatic collection from Slack and GitHub and mentions Bot Tokens and GITHUB_TOKEN, but does not pair that guidance with a clear warning about scope restriction, least-privilege token configuration, user/org authorization, and the sensitivity of the accessed data. That makes accidental overcollection and misuse of privileged API access more likely, especially for non-expert users installing the skill from README instructions alone.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
La documentation promeut l’ingestion automatique de Slack, GitHub, e-mails, exports Teams/Outlook et autres sources riches en données sensibles pour « distiller » une personne, sans exiger explicitement consentement, autorisation organisationnelle, minimisation des données ou revue légale/RH. Dans le contexte de ce skill, ce n’est pas un simple oubli documentaire : le produit est conçu pour centraliser et transformer du contenu potentiellement confidentiel et personnel, ce qui augmente fortement le risque de collecte non autorisée, d’atteinte à la vie privée et de fuite de secrets.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Il README promuove la raccolta automatica da Slack e GitHub come funzionalità normale, ma non mette in primo piano requisiti di consenso, autorizzazione, minimizzazione dei dati o limiti legali/HR. In un contesto che ricostruisce la voce e il comportamento di un dipendente, questo può portare a sorveglianza interna, raccolta eccessiva di contenuti sensibili e trattamento non autorizzato di dati personali e aziendali.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
La documentazione incoraggia il caricamento di email, chat, documenti, note e screenshot per imitare una persona senza un avviso iniziale sui rischi di PII, segreti aziendali, dati di terzi e contenuti confidenziali. Questo rende probabile che gli utenti inseriscano materiale altamente sensibile in un sistema progettato proprio per estrarre e persistere conoscenza personale e professionale.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly promotes ingesting Slack, GitHub, email, meeting notes, and other high-sensitivity sources to build an AI persona, but it does not front-load clear consent, authorization, retention, or organizational policy requirements. In this skill’s context, that omission is dangerous because the advertised use case is to preserve a departing employee’s knowledge, which creates strong incentives to bulk-collect private communications and confidential data without adequate legal or internal approval.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly encourages ingesting Slack messages, emails, GitHub activity, and documents to model a coworker, but it does not foreground consent, employer policy, retention, or privacy risks before soliciting that data. In this skill’s context, the omission is more dangerous than in a generic file-processing tool because the whole workflow is built around collecting highly sensitive personal and workplace communications, which can enable privacy violations, policy breaches, or unauthorized surveillance of a departing employee.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README prominently encourages ingesting Slack messages, emails, meeting notes, and other potentially sensitive organizational data to build a persistent AI persona, but it does not present an upfront consent, authorization, or privacy warning at the point of collection. That omission can lead users to process personal data, confidential business information, or regulated content without verifying legal basis, employee consent, retention limits, or internal approval.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation advertises automatic Slack and GitHub collection via API tokens without a clear user-facing warning that these credentials may grant broad access to organizational communications, code review history, and internal metadata. In this skill's context, auto-collection increases the chance of over-collection, misuse of privileged tokens, and unintended ingestion of sensitive company data into generated artifacts.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README encourages users to supply or auto-collect Slack messages, GitHub activity, emails, meeting notes, and similar sources to recreate a colleague's working style, but it does not present clear consent, authorization, and privacy warnings at the moment this capability is introduced. That creates a realistic risk of ingesting personal, confidential, or regulated workplace data without appropriate approval, especially because the skill's purpose is to preserve and reproduce an individual's voice and behavior.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The supported-data-source table advertises automatic Slack and GitHub collection via API without an immediate warning that these sources may expose sensitive workspace communications, code review content, secrets, customer information, or internal business context. Presenting automated harvesting as a simple feature lowers user caution and increases the chance of over-collection beyond what is necessary or permitted.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Broad triggers like 'New teammate' or 'Make a skill for XX' overlap with ordinary conversation and can activate high-risk collection workflows unintentionally. In a skill capable of harvesting communications and writing persistent artifacts, ambiguous activation increases the chance of accidental sensitive-data processing.

Missing User Warnings

High
Confidence
97% confidence
Finding
The description does not warn users that the skill may collect and process private coworker communications, emails, documents, and source-control activity. Omitting this disclosure undermines informed consent in a workflow centered on sensitive personal and enterprise data.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill performs writes into global skill directories without a prominent user-facing warning at the point of action. Persistent installation changes the agent environment and can expose future sessions to generated content that has not been separately audited.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrases are broad natural-language patterns like "Compare Alex and Bob's approach to X" and "Who would be better for X?", which can easily match ordinary user conversation rather than an explicit command. In an agent skill that reads teammates' work.md and persona.md, this can cause unintended activation and disclosure or synthesis of sensitive internal profile data when the user did not clearly intend to invoke the comparison skill.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The prompt defines very broad natural-language triggers such as 'actually', 'more like', and 'less like' as correction commands, which can overlap with ordinary conversation. In a skill that models and continuously updates a teammate persona, this can cause unintended state changes from casual user phrasing or adversarial prompt injection, poisoning persona/work files without clear user intent.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The handler instructs the agent to append to correction logs immediately and explicitly says not to ask for confirmation on simple corrections, but it does not require a user-facing warning that a persistent file write will occur. In this skill's context, those writes alter the evolving representation of a real coworker, so silent modifications can be abused to permanently corrupt behavior, create reputational harm, or smuggle malicious instructions into downstream prompts.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal