ClawHub

keep-learning

Security checks across malware telemetry and agentic risk

Overview

The skill is a disclosed local knowledge-ingestion tool, but users should understand it can remember selected file contents and may run git pull on the chosen repository.

Install only if you want an agent to read and remember information from a specific local knowledge folder. Use a narrow directory that does not contain secrets, personal files, or unrelated proprietary code, and be aware that if the folder is a git repository the skill may run git pull and change the local checkout before indexing it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The changelog explicitly states the skill performs an automatic git pull before learning, which goes beyond a purely local-directory learning capability and introduces network-driven state changes. In a memory-ingestion skill, this expands the trust boundary: remote repository content can be fetched and then immediately processed into agent memory, increasing the risk of unintended data ingestion or prompt/content poisoning.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The README states the skill will automatically pull the latest Git changes before learning, which means a skill advertised as reading local knowledge can also modify repository state. That expands the trust boundary from passive ingestion to active mutation and can introduce unreviewed upstream changes into the local workspace.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Auto-pulling is not necessary to fulfill the stated purpose of learning and memorizing local files, so it introduces extra capability without clear justification. Unnecessary write/network behavior increases risk by allowing remote content changes to affect what is learned and potentially alter the user's local checkout.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README describes actions that can modify repositories and create persistent local state, but it does not prominently warn users about those side effects. Lack of explicit disclosure undermines informed consent and can lead users to run a skill believing it is read-only when it is not.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly instructs reading local directories and storing extracted knowledge in agent memory, but it does not warn users that contents from local files may be persisted outside the source tree and surfaced later in unrelated conversations. In this context, the skill targets broad knowledge-base ingestion across markdown and code files, which increases the chance of collecting secrets, proprietary code, personal notes, or other sensitive data without meaningful user consent or scoping.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The workflow directs the agent to run git pull automatically whenever the knowledge base is a git repository, without requiring explicit confirmation that this will modify the user's working copy. In a local-learning skill, this is risky because pull can change files, trigger merge conflicts, overwrite assumptions about repository state, and interact badly with uncommitted work, making the behavior more dangerous than a read-only indexing task.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal