ClawHub

matlab-simulation-optimizer

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does the MATLAB optimization it advertises, but it also tells the agent to keep persistent diary notes and propose changes to the skill itself, which goes beyond a normal user task.

Install only if you are comfortable with an agent that can directly edit MATLAB source files, remove confirmed-unused code, and create summary or scan-output files in the project. Use version control and ask for an analysis-only or patch-preview pass first. Remove or ignore the self-evolution diary and SKILL.md PR instructions unless you explicitly want the skill to maintain its own improvement notes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The self-evolution section tells the agent to append logs under a separate diary path and to submit a PR modifying the skill itself after executions. This creates unauthorized persistence and self-modification behavior beyond the user's requested MATLAB optimization task, which can lead to unexpected repository changes, leakage of task data into logs, and expansion of the skill's behavior over time.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README repeatedly states that the skill will directly optimize MATLAB source and generate an `optimization_summary.md`, but it does not prominently warn that this means modifying files in the target source tree. In an agent context, unclear disclosure of write behavior can lead users to invoke the skill expecting analysis only, resulting in unintended code changes or overwritten local work.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill directs the agent to edit source files and write a summary document without an explicit user-facing warning at the point of use. That can produce unexpected local modifications, especially if the user expected analysis-only behavior, and increases the risk of unintended changes to valuable research code or data-adjacent files.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The cleanup guidance explicitly authorizes deletion of code, helper functions, plotting logic, and artifacts once judged 'useless,' but gives no mandatory backup, patch review, or user confirmation step. In a research-code context, such deletions can irreversibly remove experiments, undocumented dependencies, or reproducibility paths that are difficult to recover.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The default prompt invokes the skill with a very broad phrase and no explicit trigger constraints, so an orchestrator or user may activate it in situations where MATLAB code, paper comparison, or optimization should not occur. Because this skill is designed to modify source code and generate summaries, overbroad activation increases the risk of unintended code changes, excessive file access, or misuse on unrelated tasks.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal