ClawHub

Clawhub Mirror Config And Search Skill

Security checks across malware telemetry and agentic risk

Overview

This is a mostly transparent setup guide, but it asks agents to make persistent cross-workspace and Git changes that go beyond a simple mirror or search-skill install.

Install only if you intentionally want agents to use the cn.clawhub-mirror.com registry and you trust that mirror. Before allowing the archival workflow, require the agent to list exact files, workspaces, branch, remote, and diff; avoid `clawhub update --all`, cross-workspace sync, Git commits, or Git pushes unless you explicitly requested them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill expands from mirror/setup guidance into repository-wide persistence actions: writing under `.learnings`, updating shared indexes, syncing across multiple agent workspaces, and pushing to a remote repository. This materially increases scope from a local install fix to durable cross-repo modification, which can cause unintended data propagation or unauthorized repository changes if followed automatically.

Context-Inappropriate Capability

Low
Confidence
76% confidence
Finding
Including `clawhub update --all` broadens the operational effect beyond installing the intended search skill or configuring a mirror. Bulk updates can change unrelated installed skills, introduce unexpected behavior, and increase blast radius if the mirror or package source is untrusted or misconfigured.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger condition is overly broad: it says the skill should activate even when the user did not explicitly ask about mirrors, as long as installation is slow or fails. Broad auto-activation increases the chance that agents invoke this skill in unrelated contexts, exposing users to unnecessary configuration changes and the broader side effects included later in the document.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The usage section allows activation for general multi-search-engine help requests, which is outside the stated mirror/setup function. This increases the chance the skill is invoked as a catch-all search assistant, bringing along unrelated install/configuration and persistence instructions that users did not request.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs file creation, index modification, synchronization across multiple working directories, and Git commits/pushes without explicit warnings about altering local data or remote repositories. In an agent setting, omission of consent and safety boundaries around write/sync/push actions is dangerous because it can lead to persistent, widespread changes from what appears to be a simple setup task.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The prompt at this location uses broad language around initializing a search environment, avoiding rate limits, supporting many engines, and archiving experience, without a sufficiently narrow trigger tied to explicit ClawHub mirror setup. Such wording can cause the skill to activate during unrelated setup or search-tool requests, leading to unintended command execution, repository modifications, or knowledge-base writes outside the user's real intent.

Vague Triggers

Medium
Confidence
92% confidence
Finding
This prompt is overly broad because it treats a generic complaint about slow skill installation plus a desire for easier searching as sufficient to invoke a specialized mirror-and-search setup workflow. In context, the skill also performs persistent side effects such as updating TOOLS.md and committing to Git, so accidental invocation could modify files and version history during unrelated support requests.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal