ClawHub

EU Compliance Skill - complisec

Security checks across malware telemetry and agentic risk

Overview

This is a real compliance-assistance skill, but it asks for unusually broad, persistent influence over prompts, local files, memory, and compliance records.

Install only if you intentionally want a persistent, organization-wide compliance layer. Before enabling it, decide where the profile may live, avoid putting sensitive profile JSON in system prompts or memory unless approved, require confirmation before writing .compliance records or exporting logs, and narrow activation to explicit compliance, security, incident, vendor, deployment, or code-risk tasks.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (36)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill declares broad file-based behavior and instructs reading `.compliance/profile.json`, but does not transparently declare permissions or bound that access to explicit user consent. Hidden or implicit file access increases the chance of unintended data exposure and weakens the user's ability to understand what the skill can inspect.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The skill markets itself as universal compliance enforcement on every prompt, but the instructions largely describe advisory text and optional profile lookup rather than actual guardrail enforcement. This can create dangerous false assurance: users may rely on the skill to block secrets, enforce residency, or apply GDPR/ISO controls when it does not reliably do so.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The manifest suggests profile loading from `.compliance/profile.json`, but the body also directs the agent to search system prompts, custom instructions, workspace settings, and memory. Expanding data sources beyond the declared scope increases the chance of collecting sensitive hidden context that users did not expect to be inspected for this purpose.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Instructing the skill to inspect the current system prompt, project instructions, custom instructions, or workspace settings reaches into hidden and potentially sensitive control-plane data. That broad inspection can expose unrelated secrets, policies, or internal prompts beyond what is necessary for compliance profile lookup.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to search conversation context, system/project/custom instructions, and persistent memory for a profile, which expands data access beyond the stated file-based compliance purpose. This can expose unrelated sensitive configuration or hidden instructions and creates an unnecessary prompt/data inspection surface without explicit user consent.

Context-Inappropriate Capability

Low
Confidence
82% confidence
Finding
The boot sequence directs broad capability probing for file access, shell, memory, and web fetch even though most of these are not required to answer ordinary compliance questions. While not directly exploit code, this increases the skill's operational awareness and could enable unnecessary use of privileged capabilities in environments where least privilege should apply.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill goes beyond generating a profile and explicitly instructs the agent to persist that profile into memory, project instructions, system prompts, or local files so it affects future conversations. Because the stored JSON includes sensitive organisational details and is intended to influence agent behavior globally, this creates a durable prompt/instruction injection channel and expands the blast radius well beyond the immediate setup flow.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The cross-platform deployment section instructs the agent to place generated content into privileged instruction channels such as memory, custom instructions, project instructions, and system prompts. That is dangerous because it normalizes hidden, persistent modification of agent behavior across environments, and could be abused to smuggle policy-like directives or sensitive data into long-lived control surfaces.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The README states that the skill 'activates when your prompt carries compliance risk' and the metadata says it should activate on every prompt, but neither defines precise trigger boundaries, precedence, or opt-in/opt-out rules. In an agent skill, overly broad activation can cause the skill to intercept unrelated prompts, read sensitive workspace files such as .compliance/profile.json more often than necessary, and influence code generation or operational workflows outside the user's intent, expanding both data exposure and control surface.

Vague Triggers

High
Confidence
95% confidence
Finding
A skill that self-activates on every prompt is over-broad and can insert itself into unrelated conversations, increasing unnecessary access to user data and hidden context. This also raises the risk of persistent policy interference and surprise processing without user intent or contextual relevance.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill reads and writes persistent profile data and instructs cross-conversation persistence, but the description does not provide a clear user-facing warning about storage, reuse, and placement of that data. This creates privacy and governance risk, especially because compliance profiles may contain sensitive organizational details.

Natural-Language Policy Violations

Medium
Confidence
83% confidence
Finding
Forcing EU compliance framing onto every prompt without opt-in can cause inappropriate processing of unrelated requests and may pressure users into sharing organizational information unnecessarily. The risk is amplified because the skill claims broad enforcement authority rather than optional assistance.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill is designed to activate on very broad conditions and, when no profile exists, to immediately steer the interaction into creating `.compliance/profile.json`. In a compliance skill that claims to activate on every prompt, this broad trigger can cause unnecessary collection of organisational data and persistent state changes in conversations where the user did not explicitly ask for onboarding or file creation.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document repeatedly instructs the agent to read, create, and update `.compliance/profile.json`, which may contain sensitive organisational details such as critical assets, suppliers, legal obligations, and risk appetite, but it does not pair that behavior with data-minimization, consent, retention, or confidentiality safeguards. In a security/compliance context, silently persisting this kind of metadata increases privacy and leakage risk because the file becomes a high-value local target.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The dynamic context injection example uses a shell command to read `.compliance/profile.json` directly into the prompt, which can expose sensitive local organisational data to the model without any explicit privacy notice, scoping, or redaction. Because the skill is intended to run broadly, this pattern increases the chance that confidential asset inventories, supplier data, and legal constraints are unnecessarily surfaced in contexts beyond the user's immediate intent.

Vague Triggers

High
Confidence
97% confidence
Finding
The skill declares that it should activate on essentially any request involving code generation, review, or modification in any language, which creates policy-collision and prompt-preemption risk across normal development workflows. In practice this can force unsolicited behavior, override narrower user intent, and cause the agent to inject logging requirements or compliance actions into unrelated tasks, increasing the chance of unsafe file changes, hidden side effects, and denial of normal operation.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs the agent to append audit events to `.compliance/audit.log` as part of normal operation, but does not require user consent, visibility, or safeguards around repository modification and data persistence. That creates an implicit write side effect and can leak sensitive workflow metadata into the project, especially because the same document also encourages pervasive logging of tool calls, decisions, and data-access events.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill encourages sending audit logs, incident records, and vendor assessment data to third-party cloud and observability platforms, but it does not explicitly require a user-facing warning, data classification step, or minimization before transmission. Because these records can contain sensitive operational, security, and possibly personal data, users may unknowingly export regulated information to external processors or cross-border services, creating confidentiality and compliance risk.

Vague Triggers

High
Confidence
96% confidence
Finding
Instructing the skill to activate on every prompt gives it persistent influence over unrelated conversations and decisions, far beyond a narrow compliance-review use case. This broad trigger increases the chance of unsolicited data inspection, interference with normal agent behavior, and accidental application of sensitive-policy logic in contexts where it is not needed.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly tells the agent to silently record capabilities and search for profile data without telling the user. Hidden capability discovery and covert inspection of files, prompts, or memory undermines transparency and consent, and can cause the agent to process sensitive data outside user expectations.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The activation scope is intentionally broad enough to trigger on any message containing sensitive-looking content, even when the user did not explicitly request a security workflow. In an agent pipeline, that can cause unexpected interception of normal conversations, over-collection of message content for scanning/logging, and denial of intended tasks, especially because the skill also mandates blocking and audit logging.

Natural-Language Policy Violations

Medium
Confidence
75% confidence
Finding
The skill states that it enforces EU data protection rules by default, without establishing whether the user, organization, or processing context is actually subject to those requirements. In a general-purpose agent, this can create policy overreach, unnecessary blocking, and forced handling rules that may conflict with tenant-specific governance or legal bases.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The activation criteria are broad enough to trigger on routine discussion of incidents, breach obligations, or response procedures, which can cause the agent to enter a high-privilege workflow unnecessarily. In this skill, activation leads to file creation, profile inspection, deadline tracking, and possible generation of notification artifacts, so accidental invocation can expose or persist sensitive information without clear user intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill directs the agent to automatically create and update incident records on disk in a predictable location, and those records contain highly sensitive security and personal-data details. Writing such data without an explicit warning, consent flow, minimization rules, or storage protection can create a secondary confidentiality risk and leave durable forensic or breach-related data exposed to other tools, users, or backups.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The skill instructs the agent to read organizational profile data and reporting references to determine critical assets, jurisdiction, and authorities, but it does not tell the user this sensitive metadata will be accessed. While this is less severe than automatic disk writes, it still expands data exposure and may surprise users who expected only conversational guidance.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal