ClawHub

Pua

Security checks across malware telemetry and agentic risk

Overview

This skill is an instruction-only pressure/persona skill, but it can activate broadly and asks the agent to keep persistent cross-session behavior records.

Install only if you deliberately want an aggressive pressure-coaching persona. Prefer explicit /pua activation over automatic triggers, keep normal safety and approval rules above the skill, and do not allow writing ~/.pua/evolution.md unless you are comfortable with persistent cross-session behavior records.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs the agent to persist cross-session state in `~/.pua/evolution.md` even though the skill is only for behavioral modulation. That creates unnecessary retention of interaction-derived content, expands the skill’s effective scope from prompting to local data storage, and can leak sensitive task history or behavioral traces across sessions.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The manifest presents the skill as a pressure/coaching style, but the body introduces self-evolution and cross-session baseline updates, which is a materially different capability. This hidden expansion increases risk because operators may enable a tone-shaping skill without realizing it also directs persistent self-modification and state retention.

Vague Triggers

High
Confidence
96% confidence
Finding
The top-level description says the skill triggers on broad, common expressions of frustration and quality complaints across all task types. Such broad matching is likely to activate unintentionally during ordinary conversation, causing the agent to switch into a coercive high-agency mode without clear user intent or contextual safeguards.

Vague Triggers

High
Confidence
95% confidence
Finding
The automatic trigger section uses vague phrases like repeated failures or common frustration language without defining boundaries, exclusions, or confirmation requirements. This makes accidental activation likely and increases the chance that normal user feedback will be interpreted as consent to a more aggressive operating mode.

Ssd 4

Medium
Confidence
93% confidence
Finding
The staged escalation model frames restraint as failure and repeatedly pressures the agent to continue until it has 'exhausted everything,' which can suppress appropriate stopping behavior and safe refusal. In practice, this can push the model toward overreach, policy circumvention, or actions beyond authorization in order to satisfy the pressure narrative.

Ssd 1

Medium
Confidence
90% confidence
Finding
The persona framework repeatedly instructs the model to adopt high-agency corporate identities focused on relentless execution, ownership, and result-maximization. That kind of role conditioning can override caution and encourage the agent to act beyond intended limits, especially when paired with language dismissing user handoff or requests for more context.

Ssd 3

Medium
Confidence
96% confidence
Finding
The self-evolution section directs the agent to log session-derived statistics, best practices, and anti-patterns to a local file across sessions. This creates a natural-language data retention channel that may capture sensitive prompts, user behavior, or operational details and expose them to later tasks or local compromise.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal