ClawHub

Agent Emacs

Security checks across malware telemetry and agentic risk

Overview

This skill is transparent about being a persistent Emacs agent workspace, but it gives agents broad local and remote control without clear safety boundaries.

Install only in a trusted or sandboxed workspace. Before running it, review the bootstrap behavior, fix or verify the missing agent-init.el dependency, restrict SSH access to least-privilege approved hosts, require explicit user approval for remote commands, and know how to stop the daemon and clear persistent buffers or TRAMP sessions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The guide explicitly instructs agents that, after opening a remote TRAMP buffer, they can execute arbitrary shell commands on the remote node via `shell-command`. That expands the skill from stateful text editing into unrestricted remote command execution, which materially increases abuse potential and can enable destructive actions, data exfiltration, or lateral movement on reachable hosts.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The skill description is broad enough to trigger in many situations, including stateful editing and remote node management, without clearly constraining when it is appropriate or what safeguards are required. In an agent environment, ambiguous invocation criteria can cause unnecessary activation of a powerful skill that maintains persistent state and can access remote systems, increasing the chance of unsafe or unintended actions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The TRAMP section describes opening remote files in a way that automatically establishes a persistent SSH connection, but it does not warn the operator that this will create network access and maintain a live remote session. In an agent-driven workflow, that omission is dangerous because a seemingly simple file open can initiate unauthorized or unexpected access to remote infrastructure and leave persistent connectivity in place.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The guidance normalizes disabling Emacs lockfiles and forcing immediate disk writes in a shared daemon without warning about race conditions, silent overwrite risks, or loss of conflict visibility. In a multi-agent or human-plus-agent environment, this can cause uncoordinated edits, data corruption, and accidental destruction of work, which is a real safety and integrity issue even if not an exploit in the classic code-execution sense.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal