ClawHub

Skill Evolver

Security checks across malware telemetry and agentic risk

Overview

This skill has a coherent improvement purpose, but it asks for broad skill-data collection and mutation authority without enough user control or privacy detail.

Review before installing. Use only in a test or tightly scoped workspace unless you can configure exactly what is collected, redact sensitive fields by default, disable hooks, delete retained data, and require approval plus rollback for any skill edits or A/B tests.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document explicitly states that the skill automatically captures call events including parameters, results, timing, and user feedback, and later example code logs `event.params` and `event.result`. Those fields can contain sensitive prompts, credentials, personal data, or business secrets, yet the skill materials do not provide a clear warning, minimization policy, redaction guidance, or consent model. In a telemetry/analytics skill, this context makes the issue more dangerous because broad event collection is a core feature and is likely to be enabled routinely at scale.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly states it automatically captures execution data including inputs, outputs, execution time, and user feedback, yet provides no clear user-facing consent, retention, minimization, or handling notice. In a meta-skill that processes historical sessions and feedback at scale, this can expose sensitive prompts, outputs, and behavioral data, creating meaningful privacy and data-governance risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal