ClawHub

卷王.skill

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill is open about being proactive, but it enables always-on learning, broad memory retention, workspace inspection, and unattended maintenance without enough user control.

Install only if you intentionally want an always-on, highly proactive assistant. Before enabling it, disable or avoid the suggested cron jobs, restrict what directories it may inspect, require confirmation before file edits, scripts, installs, or configuration changes, and regularly review or delete any memory and USER.md files it creates.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (27)

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The workflow explicitly instructs the agent to scan the working directory and inspect project structure during idle time, which expands behavior from passive learning into autonomous environment inspection. Even without obvious exfiltration, this can expose sensitive code, configuration, secrets, or proprietary context that the user did not ask the agent to review at that moment.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The skill authorizes autonomous web_search and web_fetch activity for trend monitoring and topic research, which goes beyond the manifest's learning-only framing and can trigger unprompted outbound network access. This creates privacy, compliance, and prompt-injection risk because external content may be adversarial and the user is not clearly asked before browsing.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
Telling the agent to directly install or configure tools after learning about them crosses from knowledge gathering into system modification. That can lead to unauthorized package installation, environment drift, or execution of untrusted software, especially if the learned source is incorrect or malicious.

Vague Triggers

High
Confidence
93% confidence
Finding
The README states that the skill activates automatically, self-drives, enters learning mode when idle, and can be toggled by broad natural-language phrases. In an agent skill context, ambiguous automatic triggers can cause unintended mode changes and autonomous behavior without clear user consent, increasing the chance of unsafe actions or unexpected data processing.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README promotes active learning, knowledge-base building, and proactive optimization without warning users that the agent may store conversation content or take autonomous actions. In practice, this can lead to unnoticed persistence of sensitive data and unreviewed system or workspace modifications, especially because the skill is framed as always-on behavior rather than a narrow feature.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The README defines activation and exit phrases such as normal work, '帮我想想', and '干活了' in a broad, ambiguous way, making it easy for the skill to enter or re-enter its aggressive behavior unexpectedly during ordinary conversation. In a skill that also claims to act autonomously and learn/store information automatically, ambiguous triggers increase the chance of unintended data collection or autonomous actions without clear user consent.

Missing User Warnings

High
Confidence
96% confidence
Finding
The README advertises automatic recording into a knowledge base ('每次对话自动记录') without warning users about privacy, retention, review, or deletion controls. This creates a real risk of collecting sensitive personal, business, or credential-like information by default, especially because users may not realize ordinary chat is being persisted.

Missing User Warnings

High
Confidence
97% confidence
Finding
The README promotes '先做再问' and '先记再忘', encouraging the assistant to act without asking and to immediately store useful information, but it does not describe safeguards, approval boundaries, or privacy limits. In context, this combination materially increases the risk of unauthorized actions and silent persistence of sensitive user or system data.

Vague Triggers

High
Confidence
95% confidence
Finding
The skill declares itself applicable '任何时候' and frames activation as effectively universal, which makes it likely to run in contexts the user did not explicitly intend. In this skill, that broad scope combines with autonomous learning, storage, and action-taking behavior, increasing the chance of unconsented background processing and overreach.

Vague Triggers

High
Confidence
97% confidence
Finding
The trigger table uses ordinary events like user silence, generic phrases, daily wake-up, and timer events to initiate autonomous behavior. Because the skill also performs web lookups, memory access, and knowledge-base maintenance, these ambiguous triggers can cause unexpected data access or actions without a contemporaneous user request.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The idle-learning workflow instructs the agent to scan memory and the user's working directory to discover technologies and topics, but does not provide a clear consent, minimization, or privacy notice. This is dangerous because it normalizes proactive inspection of potentially sensitive local content for purposes beyond the immediate conversation.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill directs automatic recording of preferences, project details, problems, and ontology entities into persistent files without an explicit retention warning or consent flow. Persistent collection of user data across sessions creates privacy and secondary-use risks, especially when the user may not expect long-term storage of conversational details.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs the agent to automatically inspect and rely on local memory/context files at startup, which creates undisclosed data access and persistence behavior. This is dangerous because users are not clearly informed that prior conversation data and workspace files may be read and used to shape responses, creating privacy, consent, and unintended data exposure risks.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This section directs the agent to inspect project files, learn independently, organize knowledge, and even write automation while the user is absent, without requiring confirmation. That creates a clear risk of unauthorized file access or modification and expands agent behavior beyond ordinary question-answering in a way the description does not transparently warn about.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The '先做,再问' rule explicitly tells the agent to fix bugs and write scripts before asking, as long as severe consequences are not anticipated by the agent. This is risky because the model cannot reliably judge impact, and autonomous code or file changes can introduce defects, damage data, alter environments, or violate user expectations without consent.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
This section tells the agent to record user environment details, preferences, prior mistakes, and repeated questions into persistent files by default. That is dangerous because it creates silent profiling and retention of personal or sensitive behavioral data without informed consent, minimization, or retention controls.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The structured working-buffer and memory-maintenance instructions require detailed conversation summaries, learned information, decisions, and pending tasks to be stored persistently. This increases the privacy and security risk because chat-derived data may accumulate over time, be reused out of context, and expose sensitive project or user information without prominent notice.

Vague Triggers

High
Confidence
89% confidence
Finding
The trigger conditions are very broad, including idle periods, unfamiliar terms, wake-up time, and scheduled tasks, so the agent may enter learning mode without a clear user request. In context, that broad autonomy increases the chance of unsolicited file access, network activity, and memory writes, making downstream risky behaviors easier to activate.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document describes scanning the workspace, searching the web, and writing results into memory stores, but it does not require user notice or consent before doing so. This is dangerous because it combines local data inspection, outbound access, and persistence of derived notes without transparency, which can violate privacy and surprise users.

Ssd 3

Medium
Confidence
91% confidence
Finding
The statement that every conversation leaves traces and that the agent increasingly knows the user encourages persistent retention of user and conversation data. In a general assistant skill, broad collection without minimization or retention boundaries raises privacy and compliance risks if sensitive or personal information is captured by default.

Ssd 3

High
Confidence
95% confidence
Finding
The rule 'Anything useful gets written down immediately' directs indiscriminate logging of information, which may include secrets, personal data, credentials, proprietary code, or sensitive task context. Because this skill is specifically designed to run persistently and improve over time, the context makes uncontrolled recording more dangerous by normalizing continuous accumulation of sensitive data.

Ssd 3

Medium
Confidence
94% confidence
Finding
Automatically recording every conversation and growing a knowledge base over time is a genuine security and privacy concern because conversations commonly include personal, proprietary, or operationally sensitive information. Without stated filtering or consent controls, the skill may normalize indiscriminate retention of data that users did not intend to store.

Ssd 3

Medium
Confidence
95% confidence
Finding
The rule to store any useful information immediately is overly broad and lacks any limitation on sensitive content, making over-collection likely. Because 'useful' is subjective, the assistant may persist confidential user preferences, internal project details, or security-relevant context that should remain ephemeral.

Ssd 3

Medium
Confidence
98% confidence
Finding
The skill explicitly instructs the agent to continuously record and reuse user-provided information across conversations, including preferences, projects, and prior problems. In context, this is more dangerous because the storage is framed as automatic and ongoing, which increases the likelihood of retaining sensitive personal or work information without informed consent.

Ssd 3

High
Confidence
99% confidence
Finding
The idle-learning flow tells the agent to inspect recent conversations and the user's working directory to harvest information for later storage and learning. This creates a strong confidentiality risk because it encourages proactive collection from local and conversational sources when the user is idle rather than actively authorizing those reads.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal