ClawHub

Planning with files

Security checks across malware telemetry and agentic risk

Overview

This planning skill is mostly purpose-aligned, but it reads and reprints prior agent session history and automatically injects plan-file content, which deserves careful review before installation.

Install only if you are comfortable with a planning skill that can read local agent session logs for the current project and surface prior conversation snippets to restore context. Avoid using it in repositories or sessions where prompts, command arguments, or tool outputs may contain secrets, and prefer attested or scoped plan modes when using automatic plan injection or gated long-running work.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (7)

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
The notes explicitly include 'attention manipulation' language directing the agent to re-read the plan before major decisions. Even though framed as productivity guidance, this embeds a behavioral steering mechanism in a reusable template, which can bias future decisions and amplify any unsafe or user-misaligned content copied into the plan.

Context Leakage

High
Category
Data Exfiltration
Content
def extract_messages_after(messages: List[Dict[str, Any]], after_line: int) -> List[Dict[str, Any]]:
    """Extract conversation messages after a certain line number."""
    result = []
    for msg in messages:
        line_num = msg.get('_line_num')
Confidence
97% confidence
Finding
Extract conversation

Hidden Instructions

High
Category
Prompt Injection
Content
# Task Plan: [Brief Description]
<!-- 
  WHAT: This is your roadmap for the entire task. Think of it as your "working memory on disk."
  WHY: After 50+ tool calls, your original goals can get forgotten. This file keeps them fresh.
  WHEN: Create this FIRST, before starting any work. Update after each phase completes.
Confidence
90% confidence
Finding
<!-- WHAT: This is your roadmap for the entire task. Think of it as your "working memory on disk." WHY: After 50+ tool calls, your original goals can get forgotten. This file keeps them fresh.

Hidden Instructions

High
Category
Prompt Injection
Content
-->

## Goal
<!-- 
  WHAT: One clear sentence describing what you're trying to achieve.
  WHY: This is your north star. Re-reading this keeps you focused on the end state.
  EXAMPLE: "Create a Python CLI todo app with add, list, and delete functionality."
Confidence
86% confidence
Finding
<!-- WHAT: One clear sentence describing what you're trying to achieve. WHY: This is your north star. Re-reading this keeps you focused on the end state. EXAMPLE: "Create a Python CLI todo app

Hidden Instructions

High
Category
Prompt Injection
Content
# Task Plan: [Brief Description]
<!--
  WHAT: This is your roadmap for the entire task. Think of it as your "working memory on disk."
  WHY: After 50+ tool calls, your original goals can get forgotten. This file keeps them fresh.
  WHEN: Create this FIRST, before starting any work. Update after each phase completes.
Confidence
94% confidence
Finding
<!-- WHAT: This is your roadmap for the entire task. Think of it as your "working memory on disk." WHY: After 50+ tool calls, your original goals can get forgotten. This file keeps them fresh. W

Hidden Instructions

High
Category
Prompt Injection
Content
-->

## Run Contract
<!--
  WHAT: The rules this run operates under. The orchestrating agent reads this once at the
        top of the run and the gate honors it. None of these change v2 behavior unless a
        mode is explicitly set; default-everything here equals legacy semantics.
Confidence
97% confidence
Finding
<!-- WHAT: The rules this run operates under. The orchestrating agent reads this once at the top of the run and the gate honors it. None of these change v2 behavior unless a mode is

Hidden Instructions

High
Category
Prompt Injection
Content
these fields mirror. If you hand-edit, keep this block in sync with .planning/<id>/.mode.
-->
- **Mode:** gated
  <!-- autonomous = low recitation, no completion gate. gated = completion gate active (Stop
       hook may hold the turn until the in_progress phase clears). Omit the mode (or no .mode
       file) for plain legacy behavior. -->
- **Gate cap:** 20
Confidence
96% confidence
Finding
<!-- autonomous = low recitation, no completion gate. gated = completion gate active (Stop hook may hold the turn until the in_progress phase clears). Omit the mode (or no .mode file) fo

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal