ClawHub

04 自动迭代

Security checks across malware telemetry and agentic risk

Overview

This skill is a useful local task-iteration helper, but it can read local files, overwrite files in the current project, and retain task results, so users should review it before installing.

Install only if you are comfortable running it in a dedicated workspace. Avoid using it around secrets or private directories, review task steps before execution, inspect file changes afterward, and periodically delete ~/.ai_iteration_log.db if task history may contain sensitive content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill declares no permissions, yet its documented capabilities include reading files, writing files, and a Python-based engine that could plausibly invoke shell-like execution paths. This mismatch is dangerous because downstream policy engines and users may treat the skill as lower risk than it actually is, enabling file-system access without explicit consent or review.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The skill advertises itself as a safe automation system, but it silently persists task names, results, and iteration data to a SQLite database in the user's home directory. This creates an information-disclosure risk because sensitive prompts, file contents, results, or error messages may be retained longer than users expect.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill claims safety but includes a write primitive that can modify arbitrary files under the current working directory. In many real environments, the current directory may contain source code, configs, scripts, or documentation, so this capability is more powerful and riskier than the description suggests.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The read tool allows access to arbitrary existing local paths with no restriction to a workspace, project root, or approved directory. In a skill marketed for task iteration and optimization, this generic file-read capability unnecessarily expands access to potentially sensitive local data such as credentials, SSH keys, and application secrets.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The generic write capability is a real security concern because it can alter arbitrary files within the current working directory, which may include executable code, configuration, CI files, or documentation consumed by other tools. Even without escaping the cwd, this enables integrity attacks, persistence in project files, or sabotage of local development assets.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The module repeatedly presents itself as 'safe', but the read tool can access arbitrary existing paths on the host without workspace confinement. That mismatch is dangerous because it can cause users or integrating agents to trust the component more than warranted and supply it with sensitive tasks or environments.

Vague Triggers

Medium
Confidence
77% confidence
Finding
The invocation examples are broad enough to match ordinary requests like writing reports, analyzing code, or improving content, which can cause the skill to activate in unintended contexts. Because this skill performs iterative actions with file read/write behavior, overly broad triggering increases the chance of unexpected autonomous execution and repeated side effects.

VirusTotal

51/51 vendors flagged this skill as clean.

View on VirusTotal