ClawHub

Everything Claude Code

Security checks across malware telemetry and agentic risk

Overview

This package is not clearly malicious, but it needs review because it includes broad persistent hooks, external model workflows, and high-impact agent instructions beyond a simple guide.

Install only if you want a broad agent toolkit, not just documentation. Before enabling it, review and trim the hooks, avoid using continuous-learning on sensitive projects unless you accept local logging of tool inputs/outputs, do not assume external model commands are isolated, and remove or modify the chief-of-staff git push behavior if it could touch private communications.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (236)

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill mandates `git commit & push` as part of post-send processing even though remote version-control publication is not necessary to triage or reply to communications. In this context, that behavior can exfiltrate or broadly replicate sensitive personal communication metadata and derived notes to a remote repository, expanding the blast radius far beyond the local assistant workflow.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The document explicitly claims external models have zero filesystem write access, yet the Codex invocation passes the current working directory ("$PWD") into the wrapper, which strongly suggests repository access is being granted. This mismatch is dangerous because users and downstream agents may rely on the documented safety guarantee and expose sensitive code or permit actions they would otherwise refuse.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The document claims external models have zero filesystem write access, but the defined invocation passes "$PWD" into the external codeagent-wrapper session. Even if direct write APIs are restricted, mounting the working directory exposes repository contents and may enable unintended read/write side effects depending on wrapper behavior, plugins, or tool configuration; the contradiction also misleads users about trust boundaries.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The workflow instructs the agent to invoke external backends via a shell wrapper and use MCP services with prompt enhancement and context retrieval, but it provides no explicit security boundary, permission model, or task-scoped limitation on what data may be sent out. Because $ARGUMENTS and project context are forwarded to external models, this can cause unintended disclosure of repository contents or sensitive user input, especially in a generic development workflow that may be run in arbitrary projects.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The command advertises a `Secrets` result in the verification report, but the documented execution steps do not include any secrets scan for the default `full` flow. This can mislead users into believing sensitive-token detection was performed when it was not, creating a false sense of security and increasing the chance that credentials or API keys are committed or approved unnoticed.

Intent-Code Divergence

Low
Confidence
86% confidence
Finding
The documentation states that actual code snippets are excluded from exports, but it also documents a flag that can include evidence text. Evidence text may contain code fragments, prompts, secrets, or other sensitive contextual data, so this creates a misleading privacy guarantee that could cause users to export more sensitive material than intended.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
This skill exposes a generic orchestration interface for launching external model backends via shell commands and coordinating background tasks, but it does not meaningfully constrain what tasks may be delegated or what data may be sent. In a security context, broad multi-agent orchestration with external services increases the risk of unintended data exfiltration, unsafe delegation, and execution of high-risk workflows beyond the user's informed intent.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The workflow mandates MCP prompt-enhancement and context-retrieval calls for all tasks without defining scope limits, data classification rules, or user consent boundaries. That creates a real risk that sensitive user input, repository context, or proprietary code will be sent to auxiliary services unnecessarily or more broadly than intended.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The document gives contradictory CSRF guidance: it sets `CSRF_COOKIE_HTTPONLY = True` and says this prevents JavaScript access, but the AJAX example retrieves `csrftoken` from `document.cookie`. If copied as-is, developers may either ship broken CSRF protection or disable `HttpOnly`/weaken CSRF handling to make the example work, creating confusion around a security-critical control.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The skill describes `python manage.py migrate` as a test-environment verification step, but it is a real state-changing operation that modifies the database. In an agent skill context, presenting it without a prominent safety warning or confirmation gate can cause unintended schema/data changes when run against the wrong environment.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The documented command unconditionally creates a superuser and hardcodes privileged credentials, despite being framed as conditional for testing. This can introduce a known admin account into any connected environment, enabling unauthorized access if executed in shared, staging, or production systems.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The document claims external models have zero filesystem write access, but the prescribed wrapper is invoked against the current working directory ("$PWD"), which weakens or contradicts that guarantee unless strict sandboxing is independently enforced. This can mislead users into trusting an isolation boundary that is not demonstrated by the documented invocation pattern, increasing the risk of unintended file access or modification by external tooling.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs installing PM2 globally with `npm install -g pm2` if it is missing. A global package installation modifies the host environment outside the project scope, may require elevated privileges, and introduces supply-chain and persistence risks that are broader than merely generating PM2 command files.

Context-Inappropriate Capability

Low
Confidence
86% confidence
Finding
The skill directs the agent to create or modify `CLAUDE.md`, which expands behavior from service initialization into documentation mutation. While not directly a security exploit, it is an unnecessary write capability that can overwrite user-maintained content and create unintended project modifications without clear consent.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The privacy section claims that actual code or conversation content is not shared, but the skill explicitly describes capturing prompts and tool-use observations and deriving exportable instincts from them. Even if raw logs remain local, derived artifacts can still leak sensitive project details, workflows, identifiers, or behavioral patterns, so the claim is materially misleading.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The authorization example is internally inconsistent: the comment and queryset suggest users may edit their own posts, but the class-level PermissionRequiredMixin requires a broader special permission. In a security guidance skill, contradictory access-control examples can cause developers to implement the wrong rule, leading to unintended denial of access or overly permissive edits if they copy only part of the pattern.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The CSP example is presented as security guidance for XSS protection, but it explicitly permits 'unsafe-inline' and 'unsafe-eval', which substantially weaken CSP and can allow inline script execution or eval-like execution paths. In a security-review skill, misleading hardening guidance is especially risky because users may copy it verbatim and believe they are protected when they are not.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The documented `PhotoProcessor` pattern is unsafe because it marks the type `nonisolated` while mutating shared state (`cachedStickers`) from an async method that can be called concurrently. Readers following this example may introduce real data races, memory corruption, or nondeterministic cache behavior, especially because the surrounding text frames the pattern as the correct way to use `@concurrent` and suggests mutable-state access is safe under the build settings.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The document claims observations remain local and that actual code or conversation content is not shared, yet earlier sections explicitly describe collecting prompts, tool calls, and results for analysis by a background observer agent. Even if the agent runs locally, the privacy claim is misleading because sensitive session data is still being captured and processed, which can cause users to underestimate exposure.

Context-Inappropriate Capability

Low
Confidence
95% confidence
Finding
The documentation exposes a personal absolute local filesystem path (`/Users/affoon/Documents/tasks/12-continuous-learning-v2.md`) that is unrelated to the skill's portable operation. While not directly exploitable on its own, it leaks developer environment details and can reveal usernames, workstation structure, or internal project naming that may aid reconnaissance or unintentionally disclose sensitive information.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The CSP example is presented as a secure configuration, but it explicitly allows 'unsafe-inline' and 'unsafe-eval' in script-src, which significantly weakens XSS protections and can permit injected JavaScript execution. In a security-review skill, this is more dangerous than usual because readers are likely to copy the example verbatim as recommended best practice.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The recommended bulk insert example builds an SQL statement by directly interpolating untrusted trade fields into the VALUES clause. If any field contains quotes or crafted payloads, this can break query structure, enable SQL injection, corrupt inserted data, or cause unexpected statements to run depending on driver behavior. Because the skill explicitly marks this as the recommended approach, it increases the likelihood that users will copy an unsafe pattern into production code.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The import command fetches arbitrary HTTP(S) URLs and ingests their contents into the local instincts store with no allowlist, integrity check, size limit, or explicit trust warning. In a skill-management context, importing untrusted remote content is security-relevant because it can seed malicious instructions or prompt content that later influences agent behavior across projects.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The CSRF section sets `CSRF_COOKIE_HTTPONLY = True` and then provides JavaScript that reads the `csrftoken` cookie via `document.cookie`. In Django, an HttpOnly CSRF cookie cannot be read by JavaScript, so this guidance is internally inconsistent and can lead implementers to deploy broken CSRF protection for AJAX endpoints or weaken settings to make the example work.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The view claims to allow users to edit their own posts via `get_queryset()`, but `PermissionRequiredMixin` requires `app.can_edit_others` for all access. That mismatch can cause authorization logic to behave contrary to the documented security model, often resulting in improper denial of legitimate actions and encouraging unsafe permission workarounds by developers.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal