ClawHub

Task Assessor

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it expands a task-assessment role into broad pre-execution control and persistent local storage of user intent data.

Review before installing. Treat this as a broad workflow-control and local-memory skill, not just a task estimator. Install only if you are comfortable with it seeing many prompts before execution, influencing whether tasks proceed, and storing task text and preferences locally; a safer version would limit itself to assessment output and make persistence opt-in with inspect/delete controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (16)

Lp3

Medium
Category
MCP Least Privilege
Confidence
77% confidence
Finding
The skill documentation references persistent storage paths under the user's home directory and therefore implies filesystem/environment-backed capabilities without declaring them in metadata. Undeclared capabilities reduce transparency and can bypass expected permission review, especially when the skill also claims a narrower assessment-only purpose.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The stated purpose is task difficulty and cost assessment, but the file expands into session caching, preference profiling, interpretation storage, cleanup routines, and execution control. This mismatch is dangerous because users and reviewers may grant or invoke the skill expecting passive analysis while it actually performs broader stateful and operational behavior.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
A skill described as an assessor is redefined as a global pre-execution interception layer for all user instructions. That creates privilege and control expansion well beyond its advertised scope, allowing it to influence or gate unrelated tasks and become a universal decision point in the agent pipeline.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
The documentation authorizes direct execution after clarification and resubmission, which exceeds a pure assessment role and effectively turns the skill into an execution orchestrator. This is risky because a user may invoke an assessor expecting advice, while the skill is empowered to transform inputs and trigger downstream actions.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Persistently storing per-user preference history is unrelated to basic difficulty estimation and introduces silent profiling and retention of behavioral data. Even if intended for convenience, this broadens data collection and can affect future task handling without transparent consent or strong minimization controls.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
This file defines intent ambiguity and '漏洞' parsing logic instead of the skill’s stated purpose of task difficulty, time, cost, and skill assessment. In a task-assessor skill, this mismatch can cause the agent to invoke the wrong decision logic, leading to unsafe execution planning and failure to perform required risk/complexity checks before acting.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The documented thresholds govern clarification behavior and skip conditions, but omit the manifest-required rule that L3 and above must be reported and confirmed before execution. That omission can directly bypass a key safety control, allowing complex or costly tasks to proceed without the mandatory user checkpoint.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The documented behavior is materially misaligned with the skill manifest: instead of task difficulty/cost assessment, it defines a generic reply parser with downstream execution-oriented behavior. This creates a dangerous scope-expansion risk where the agent may parse inputs for unrelated domains and act on them under the authority of a skill that users and orchestrators expect to be assessment-only.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The parser includes stock-analysis and file-operation intent mappings that are unrelated to task assessment, indicating hidden or overbroad capabilities. In particular, file-operation terms such as opening, compressing, and deleting can enable unintended action routing if other components trust this skill's parsed output.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The flow explicitly ends in '补全参数,执行' after validation, which contradicts the manifest's requirement to assess tasks and obtain confirmation before higher-risk execution. This is dangerous because a parser embedded in an assessment skill can become an execution bridge, bypassing expected review and user-consent controls.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
This file implements persistent intent-clarification caching, preference tracking, and translation-history storage even though the declared skill is for task difficulty/cost assessment. That scope mismatch is dangerous because it introduces unrelated data collection and retention capabilities that can capture sensitive user intent and behavior without a clear need, increasing privacy and misuse risk.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code persistently stores user preferences and translation records to disk, creating a durable behavioral profile not justified by a task-assessment skill. In this context, that broadens the skill from transient assessment into long-term tracking, which can expose sensitive patterns about user requests and inferred intent if the files are read by other local processes or operators.

Intent-Code Divergence

Medium
Confidence
82% confidence
Finding
The header comments describe only cache-file management, but the implementation also manages persistent preferences and translation tables. This mismatch reduces transparency and can hide privacy-relevant behavior from reviewers and users, making risky data handling easier to miss during review or deployment.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The trigger phrases are broad enough that the skill may activate on many ordinary planning or help requests, increasing the chance of inappropriate interception and unexpected behavior. Over-broad activation is especially risky here because the skill also performs clarification gating, persistence, and possible execution handoff.

Vague Triggers

High
Confidence
96% confidence
Finding
Defining the clarification interceptor as applying to all user instructions before execution creates effectively universal activation. In this context, that is dangerous because a nominally narrow skill can mediate unrelated workflows, collect data from every task, and alter system behavior far beyond user expectations.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Sensitive intent data, vulnerabilities metadata, and later user preferences/translations are written as plaintext JSON under the user's home directory with no visible notice, consent flow, or protective controls. In a task-assessment skill, such undisclosed local persistence is unnecessary and increases the chance of privacy leakage through local compromise, backups, shared accounts, or other software reading these files.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal