ClawHub

学习型Agent

Security checks across malware telemetry and agentic risk

Overview

The skill is not malicious, but it needs review because it encourages durable logging, cross-session sharing, and changes to future agent instruction files without enough consent or redaction boundaries.

Install only if you want the agent to keep durable learning notes. Before enabling hooks or allowing promotion, review writes to .learnings, CLAUDE.md, AGENTS.md, SOUL.md, TOOLS.md, and Copilot instruction files. Do not store secrets, tokens, private transcripts, customer data, or sensitive operational details, and use cross-session history or messaging only with explicit user intent.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (12)

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The security section materially understates what these hooks do: the documented configuration invokes shell scripts via a command hook, which is code execution in the agent's context. Mislabeling that behavior as 'only output text' can cause operators to enable the feature without appreciating that arbitrary script logic may run with the same permissions as the client.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The document broadens a 'self-improvement' skill from recording learnings into cross-session coordination and workspace prompt-management. That scope expansion increases the chance that observations from one session influence other sessions or persistent prompts, creating unintended trust-boundary crossings and prompt-injection persistence risks.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The promotion workflow directs learned content into AGENTS.md, SOUL.md, and TOOLS.md, which are effectively higher-trust prompt/configuration files. Persisting session-derived content into those files can turn transient errors, adversarial user input, or injected text into durable instruction changes that affect future agent behavior.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The trigger phrases are extremely common in normal conversation, so the skill can activate and persist content based on ordinary user dialogue rather than clear user intent. In this skill's context, over-broad triggering is dangerous because activation leads to logging corrections, requests, and contextual details into durable files, increasing accidental retention of sensitive or private content.

Vague Triggers

Medium
Confidence
89% confidence
Finding
An empty matcher causes the hook to fire on every prompt submission, creating pervasive automatic execution of the configured script. In this skill's context, that broad trigger increases the blast radius of any buggy, modified, or malicious script and can lead to unnecessary data exposure or persistent prompt interception across normal use.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The user-level configuration installs the same broad, empty-matcher hook globally, so the script runs across all sessions rather than a single project. That persistence and scope make accidental over-collection, cross-project context leakage, and abuse of a compromised script materially more dangerous than a project-local setup.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The Codex CLI example repeats the empty-matcher pattern, causing script execution on every prompt in that environment as well. Because this is sample configuration likely to be copied verbatim, it promotes unsafe default behavior and broadens the opportunity for persistent prompt-time script execution.

Missing User Warnings

Low
Confidence
76% confidence
Finding
The guide instructs users to create persistent `.learnings/` storage for session-derived information without warning about disk persistence, retention, or sensitivity of stored data. This can lead to accidental retention of secrets, internal context, or user-provided sensitive information on disk.

Ssd 3

Medium
Confidence
89% confidence
Finding
The skill explicitly encourages persisting user corrections, requests, and task-derived learnings into reusable logs and memory files without any data-minimization or sensitivity screening. That creates a real data retention risk because natural-language logs often capture secrets, internal URLs, stack traces, proprietary details, or personal information that later become accessible to other sessions, tools, or collaborators.

Ssd 3

High
Confidence
95% confidence
Finding
The inter-session section explicitly promotes reading other sessions' transcripts and sending learnings between sessions, which creates a cross-session data exposure channel. In a multi-session agent environment, that can leak sensitive user content, secrets, or private project context beyond the original session boundary without strong authorization and sanitization controls.

Ssd 3

Medium
Confidence
94% confidence
Finding
The templates instruct the agent to capture full context, inputs, parameters, raw error output, and user context verbatim. Those fields commonly contain API keys, filesystem paths, customer data, prompts, stack traces, or other sensitive artifacts, so the template design materially increases the chance of storing sensitive information in durable markdown files.

Ssd 3

Medium
Confidence
88% confidence
Finding
Automatically logging whenever the user corrects the agent or provides new information creates indiscriminate retention of user-supplied content. Because these triggers are broad and the skill later recommends promotion to memory/context files, the retained information can persist and spread far beyond the original conversation in ways the user did not intend.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal