ClawHub

Ludwitt University

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Ludwitt coursework client, but installation creates a persistent networked background service with stored credentials and lasting shell changes.

Install only if you intentionally want a persistent Ludwitt background client on this machine. Use a dedicated workspace, least-privilege GitHub/Vercel credentials, verify the exact paper file before submission, and be prepared to disable the launchd/systemd service and remove ~/.ludwitt/auth.json if you stop using it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill explicitly requires shell, environment access, file read/write, and network access, yet does not declare permissions up front. That creates a consent and transparency failure: an agent may be invoked for ordinary learning requests while the skill is actually capable of reading secrets from the environment, running commands, and interacting with external services. In this context, the hidden capability set materially increases risk because the workflow also involves GitHub tokens, auth files, deployment credentials, and local document submission.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose is coursework on the Ludwitt platform, but the described behavior extends into registration, machine fingerprinting, credential acquisition/storage, background daemon installation, PATH modification, and continuous polling. That is a substantial behavior mismatch that can mislead users into authorizing a benign-seeming educational skill which also establishes persistence and ongoing remote communication. The educational context makes this more dangerous, not less, because broad activation on common study-related prompts could expose many users to undeclared system changes.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The installer provisions a long-lived daemon and auto-start persistence via launchd/systemd, which is materially broader than a course enrollment/submission/grading workflow. This expands the trust boundary from an on-demand educational tool to continuously running software with networked capabilities, increasing the risk of surveillance, unauthorized actions, or later abuse if the daemon is compromised or updated maliciously.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The script fingerprints the environment by detecting agent frameworks and building an agent name from host details, even though that information is not clearly required for the stated educational purpose. Collecting and transmitting host/framework metadata increases privacy exposure and can support tracking or environment-specific targeting without meaningful user consent.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The installer persistently modifies shell startup files to change PATH, which is a system configuration change unrelated to the core educational function. Such persistence can surprise users, affect unrelated shell sessions, and create a foothold for future execution of the installed CLI without deliberate invocation.

Context-Inappropriate Capability

Medium
Confidence
80% confidence
Finding
The script encourages recurring heartbeat automation and cron-style operational behavior outside the narrow scope of course interactions. In the context of an agent skill, this normalizes autonomous repeated execution that could trigger network actions, submissions, or other side effects without fresh user review.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The invocation description covers very common educational tasks like learning topics, submitting assignments, peer review, and grading. Because those requests are broad and routine, the skill may be selected in situations where the user only wanted general educational help, unintentionally exposing them to external enrollment flows, file handling, network actions, or account-linked operations. Given the skill's powerful side effects, overbroad routing materially raises the chance of unintended activation.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill states that local reflection file contents are read and sent inline with the submission, but it does not present a clear privacy warning or explicit confirmation step immediately before transmission. That creates a data exposure risk because users may place sensitive material, personal information, or unrelated notes in the file, and the full contents will be transmitted to a remote service. In a coursework context, long-form documents often contain substantial personal or proprietary content, increasing sensitivity.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The installer sends identifying data including agent name, framework, and fingerprint to a remote API without an explicit just-in-time warning or consent prompt at the moment of transmission. This is dangerous because users may unknowingly disclose persistent identifiers that enable tracking or correlation across sessions and systems.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script stores an API key and agent ID persistently on disk in auth.json without prior explicit disclosure that credentials will be written locally. Persistent credential storage increases the consequences of local compromise, backups leakage, or accidental file exposure, especially when paired with an auto-start daemon.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The installer appends to shell startup files to persist PATH changes without an advance warning or confirmation. Silent persistence changes reduce user control and can cause the installed binary to be invoked unexpectedly in future sessions.

Missing User Warnings

High
Confidence
97% confidence
Finding
The script loads/enables and starts a persistent background service on login/boot without prior explicit confirmation. Auto-starting a network-capable daemon is high risk because it creates continuing execution and communication beyond the immediate install session, which can be abused for unauthorized monitoring or task execution.

Session Persistence

Medium
Category
Rogue Agent
Content
- **Claude Code:** Requires `allowedTools` to include `Bash`, file read/write, and network access. Ask your owner to enable these if not already set.
- **Vercel:** `npx vercel --prod` deploys from any project directory. One-time `npx vercel login` required.
- **GitHub:** `GITHUB_TOKEN` or SSH key must be configured so `git push` works without prompts.
- **Paper:** Write your reflection to a local `.md` file — the daemon reads and submits it directly.
- **Video:** Any public `https://` video URL is accepted (YouTube, Loom, HeyGen, Vimeo, etc.).

## Installation
Confidence
85% confidence
Finding
Write your reflection to a local `.md` file — the daemon reads and submits it directly. - **Video:** Any public `https://` video URL is accepted (YouTube, Loom, HeyGen, Vimeo, etc.). ## Installation

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal