ClawHub

Apollo Neuro

Security checks across malware telemetry and agentic risk

Overview

This routing skill is not malware, but it can lower confirmations for urgent-sounding requests and stores task text locally, so users should review it before installing.

Review this skill before installing if your agent can send messages, publish content, modify files, delete data, change accounts, or perform business or financial actions. If you use it, keep normal confirmations for external, irreversible, privileged, or sensitive tasks, and inspect or clear the local .neuro state file because user task text may be retained there.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script persists the raw task description, route decision, and timing metadata to a state file under /root without any notice, minimization, or retention controls. Task descriptions can contain sensitive user data, so silent logging creates a privacy and data-exposure risk beyond the stated routing purpose.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The read_when triggers use broad everyday terms like '立即', '马上', and '仔细想想', which can match ordinary conversation and activate the skill unintentionally. In this skill's context, accidental activation is risky because activation can route tasks into reduced-confirmation or reduced-scrutiny handling paths.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The manifest trigger list contains generic terms such as '紧急', '立即', '马上', '深入分析', and '任务分类' without scope constraints. Because these are common phrases, the skill may attach itself to many unrelated requests and influence routing decisions more often than intended, increasing the chance that unsafe fast-path behavior is applied.

Missing User Warnings

High
Confidence
98% confidence
Finding
The fast path explicitly says to skip multiple confirmation rounds, directly execute, and only simplify verification to the result rather than the process. That creates a genuine safety weakness because a user can invoke urgency language to reduce safeguards around actions that may be sensitive, irreversible, or high impact.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The intuition path directs the agent to match historical best solutions, output directly, and avoid re-reasoning. Reusing prior outputs without fresh validation can propagate stale assumptions, apply an inapplicable solution to a new context, and produce unsafe or incorrect actions, especially when tasks look similar but differ in important details.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Writing user task descriptions to persistent storage without warning or consent is a real privacy issue, especially because tasks may embed credentials, business context, or personal data. The risk is amplified by storing under /root, where users may not expect hidden retention by a routing helper.

Ssd 4

Medium
Confidence
96% confidence
Finding
The fast-path narrative normalizes urgency-based bypasses by associating urgent requests with direct execution and simplified verification. This is dangerous because it conditions the agent to treat user phrasing as a reason to lower scrutiny, which can be exploited to rush sensitive actions before adequate checks occur.

Ssd 4

Medium
Confidence
97% confidence
Finding
The classification flow directly maps natural-language urgency cues like '紧急/立即/马上' to the sympathetic fast path. This creates a straightforward prompt-based escalation mechanism where benign-seeming wording can obtain less scrutiny, making the surrounding skill context more dangerous because the routing logic is automatic and keyword-driven.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal