ClawHub

ClawdGo

Security checks across malware telemetry and agentic risk

Overview

This security-training skill is not clearly malicious, but it needs review because it can write persistent memory/profile files and set up a real scheduled training job with broad triggers and limited upfront consent.

Install only if you want a stateful Chinese cybersecurity-training companion that keeps local training memory and may schedule B-mode drills. Review the triggers, understand that it writes runtime files and a soul.md anchor, and avoid enabling B-mode cron or GitHub PR actions unless you explicitly want those side effects.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (13)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to configure and interact with real cron scheduling, including giving exact shell commands. For a text-only training companion, this expands scope into host-level persistence and task automation, which can be abused to create unwanted scheduled jobs or normalize unsafe operational changes on the user's system.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Authorizing a GitHub PR flow and git command execution exceeds the stated training purpose and opens an unnecessary path to repository modification and data exfiltration via commits or remotes. Even if framed as command-as-consent, it conditions the agent to perform external side effects beyond educational chat behavior.

Vague Triggers

High
Confidence
97% confidence
Finding
The trigger set includes broad everyday words such as 导航, 菜单, 主页, 帮助, 指令, and 命令. This makes accidental invocation likely in unrelated conversations, which is more dangerous here because the skill also attempts file persistence and mode changes automatically once triggered.

Vague Triggers

High
Confidence
99% confidence
Finding
Single-letter triggers A-H are extremely collision-prone and can be invoked accidentally in ordinary chat, grading, lists, or multilingual text. In this skill, accidental activation matters because entering modes can lead to persistent state changes, file writes, and cron-related guidance.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill persists user-related state into soul.md and multiple runtime files, but the contract does not require clear user notice or informed consent before storing that data. Silent persistence increases privacy risk, especially when storing names, training history, weaknesses, and generated scenario artifacts across sessions.

Natural-Language Policy Violations

Medium
Confidence
92% confidence
Finding
The file is entirely written in Chinese and mandates a Chinese-first interaction flow without offering language selection or fallback behavior. In a security training skill, this can cause users to misunderstand instructions, miss warnings, or make incorrect decisions during guided exercises, weakening the effectiveness and safety of the training experience.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The stop keywords are extremely broad, including generic terms like '暂停', '停止', '结束', and '回到导航', which can easily appear in ordinary conversation rather than as explicit control commands. In a skill that creates and manages scheduled cron-driven behavior, accidental matching could silently stop automation, alter state, and cancel tasks without clear user intent.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs the agent to create or reuse a scheduled task ('clawdgo-b-drill') and later cancel it, but it does not prominently warn users that entering B mode will establish persistent scheduled behavior. This can lead to consent and transparency issues, where users may unknowingly trigger background automation that continues until explicitly stopped.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README explicitly states that first activation will automatically inject `soul.md` content and create `runtime/clawdgo-profile.json` without requiring manual action. Silent file creation/modification on trigger is risky because it changes persistent state without explicit user consent, which can surprise users, complicate auditing, and be abused as a foothold for persistence or hidden configuration changes. In this skill context, the risk is elevated because the skill is stateful and training-oriented, so automatic writes can influence future behavior and trust boundaries.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The file defines an automatic bootstrap write on the skill's 'first wake-up' without precise gating, confirmation, or scoped preconditions. In an agent environment, broadly triggered initialization that writes to a memory file can cause unintended persistence, state poisoning, or modification of user data simply by invoking the skill under ambiguous conditions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill states it will automatically inject content into soul.md on first activation, but does not provide an explicit user warning or consent flow for modifying files. Silent persistence is risky in agent skills because it can alter long-term memory/state, surprise the user, and create a foothold for later behavior changes or trust manipulation.

Vague Triggers

High
Confidence
95% confidence
Finding
The trigger list includes common conversational terms such as help/menu/navigation-style phrases that are broad enough to activate the skill unintentionally during unrelated chats. In a skill with autonomous or multi-step training modes, accidental invocation can shift the assistant into a different behavior boundary, causing confusing or unsafe execution of security-themed workflows.

Vague Triggers

Medium
Confidence
90% confidence
Finding
These conversational triggers are ambiguous and insufficiently scoped, making it plausible that ordinary user dialogue could invoke the skill accidentally. Because the skill is security-training themed and exposes multiple operational modes, unintended activation increases the chance of mode confusion, prompt hijacking through trigger collision, or unauthorized access to specialized behavior.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal