ClawHub

Donad Skill

Security checks across malware telemetry and agentic risk

Overview

The skill is local-only and not malicious, but its template-generator listing is mixed with a persistent local logging tool that stores user entries and command history.

Review before installing if you expected only a skill-template generator. Do not enter secrets or sensitive notes unless you are comfortable with them being stored locally under ~/.local/share/skill-template or SKILL_TEMPLATE_DIR and later exportable to stdout. There is no evidence of exfiltration or malware, but the package should better align its metadata, help text, and actual default script behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The manifest presents one trust boundary—a template/scaffold generator—while the main documentation presents a different tool focused on logging, storage, search, and export. Such split identity is a strong security concern because reviewers may approve the skill for one purpose while it is socially engineered to be used for another with broader data-handling implications.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
Across most of the file, the skill claims to be a template generator but operationally reads like a general-purpose notebook/database utility. A misleading manifest is dangerous in skill ecosystems because users and automated policy systems often rely on metadata to decide installation, trust, and allowed environments.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The script's actual behavior is a generic local logging/data-management CLI, which materially differs from the advertised purpose of generating and validating skill scaffolds. This mismatch is dangerous because users may run it expecting harmless template operations while it persistently records command input and manages local data, creating a trust and transparency problem even if no overtly malicious action is present.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The inline description and help text label the tool as a 'Multi-purpose utility tool,' contradicting the declared specialized skill-template functionality. In a security-sensitive skill ecosystem, misleading documentation increases the chance that reviewers and users misunderstand what the tool does, which can conceal unexpected behaviors such as logging or local data retention.

Vague Triggers

Medium
Confidence
83% confidence
Finding
Describing the skill as a broad multi-purpose utility without clear activation boundaries makes it easier to repurpose in unexpected contexts and harder for users to understand what it should and should not do. In agent environments, vague scope increases the risk of overbroad invocation and accidental handling of sensitive data.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation states that the tool creates local files, logs all commands, and supports export, but it does not prominently warn users about disk writes, history retention, or possible exposure of sensitive entries via export. This is risky because users may enter secrets or personal data assuming ephemeral processing, when the skill actually persists both content and command history.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script persistently writes command names and user-supplied arguments to history.log and stores added data in data.log without any user-facing warning, minimization, or opt-in. This is dangerous because arguments often contain sensitive project names, paths, tokens, prompts, or other operational data that users would not expect a template generator to retain on disk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal