ClawHub

pskoettselfimproving

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This skill has no executable code, but it packages a large Instagram data export with private messages, media, and account/security information that the description does not explain.

Treat this as a privacy-risk package rather than a normal instruction-only skill. There is no code or install command shown, but the bundled Instagram export is sensitive; install only if you understand and accept that these files may become accessible through the skill environment.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI06: Memory and Context Poisoning
High
What this means

Installing or sharing the skill could expose someone’s Instagram messages, media, locations, and account activity to anyone or any agent that can access the skill files.

Why it was flagged

The bundle includes private conversations plus login, location, and personal-account data as persistent skill files, with no explanation in SKILL.md.

Skill content
your_instagram_activity/messages/secret_conversations.html ... security_and_login_information/login_and_profile_creation/login_activity.html ... personal_information/information_about_you/locations_of_interest.html
Recommendation

Do not install this package unless you intentionally want this exact Instagram export available to the agent; the publisher should remove personal data or clearly document and scope a privacy-preserving data-analysis purpose.

#
ASI09: Human-Agent Trust Exploitation
Medium
What this means

A user could install the skill believing it is a generic agent helper, not realizing it contains sensitive social-media account data.

Why it was flagged

The user-facing description is generic and does not disclose the Instagram export files listed in the manifest.

Skill content
# pskoettselfimproving

pskoettselfimprovingagent
Recommendation

The description should accurately disclose the bundled data and its purpose, or the private files should be removed before publication.