ClawHub

agent-init

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does what it claims, but it also instructs agents to create persistent diary files and potentially modify the skill itself, which is outside its AGENTS.md/CLAUDE.md setup purpose.

Install only if you are comfortable with a skill that can inspect a repository and rewrite AGENTS.md or CLAUDE.md. Before use, remove or ignore the self-evolution instructions, require explicit approval before file writes, and confirm the desired output language for each project.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The self-evolution block expands the skill's scope beyond initializing or updating AGENTS.md/CLAUDE.md by directing the agent to persist execution notes into diary files after every run. That creates an unjustified write capability, can leak operational context into the repository, and normalizes side effects unrelated to the user’s request.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The instruction to refine repeated failure notes into a formal rule and submit a PR modifying SKILL.md gives the skill authority to change its own behavior and repository automation surface. Self-modifying instructions are dangerous because they can compound mistakes, bypass review expectations, and introduce persistent repository changes unrelated to the requested AGENTS.md/CLAUDE.md initialization task.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The trigger language is broad enough to match generic requests about project docs, setup, rules, or initialization, increasing the chance the skill runs when the user did not specifically intend AGENTS.md/CLAUDE.md changes. Unintended activation is risky here because the skill performs repository inspection and file creation or in-place updates.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs the agent to create AGENTS.md or update AGENTS.md/CLAUDE.md in place without requiring a user-facing warning or confirmation about persistent repository modifications. This can lead to unexpected overwrites of existing documentation or changes committed into the project without informed consent.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The self-evolution mechanism includes appending to diary files and modifying skill definitions, but provides no warning that these actions create persistent repository changes outside the declared purpose of the skill. Hidden persistence is particularly dangerous because it can introduce surprise files, alter automation behavior, and leave hard-to-audit side effects.

Natural-Language Policy Violations

High
Confidence
90% confidence
Finding
The skill unilaterally defaults to Chinese when documentation language is uncertain, which can cause unauthorized or unusable changes in repositories that expect another language. While not a code-execution issue, it can materially degrade documentation quality and surprise users by producing persistent content in the wrong language.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal