ClawHub

司马迁.skill:AI时代的个人使用说明书

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly coherent, but it includes a copyable prompt that can install an unpinned GitHub skill into a persistent agent directory and it encourages turning broad personal context into shareable profile outputs.

Review before installing. Prefer the reviewed ClawHub package, or inspect and pin the GitHub repo before allowing any agent to clone it into ~/.claude/skills. Put only intended materials in the input folder, remove secrets and confidential employer or third-party data, and manually review/redact any generated persona, homepage, or card link before sharing it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The page includes a ready-to-copy prompt that tells an agent to clone a GitHub repository into ~/.claude/skills/simaqian.skill, which induces local filesystem writes and supply-chain installation behavior from a marketing page. That is dangerous because users may trigger installation of unreviewed remote code/content into an agent-executed skills directory without explicit trust verification, pinning, or consent safeguards.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The manifesto explicitly encourages users to provide articles, resumes, podcasts, social media, notes, and work links to an agent, which can include extensive personal and sensitive data. There is no accompanying privacy, retention, consent, or sensitivity warning, so users may overshare confidential information without understanding the exposure risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The generated outputs include a persona file for AI agents and a public-facing homepage for humans, both of which are likely to consolidate identity details, preferences, collaboration signals, and contact information into a highly exposable format. Without a warning to review/redact sensitive content before sharing or publishing, users may inadvertently disclose information that enables profiling, impersonation, social engineering, or privacy loss.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The prompt explicitly instructs cloning into ~/.claude/skills without warning that this writes files to the local system and changes agent behavior. In the context of agent skills, silent or under-disclosed installation steps are risky because they normalize user approval of persistent local modifications from natural-language prompts.

Ssd 3

Medium
Confidence
96% confidence
Finding
The self-prompt instructs the model to use long-term memory, prior conversations, and user self-description to generate a sharable output, encouraging broad aggregation of potentially sensitive personal data into public-facing artifacts. In a persona-generation skill this context makes the issue more dangerous, because the whole feature is designed to transform private context into easily shared links and cards, increasing the chance of unintended disclosure.

Ssd 3

Medium
Confidence
93% confidence
Finding
The prompt tells the agent to use materials from a local directory and to interview the user if materials are missing, which creates broad, plain-language authority to collect and process local personal data. In this skill's context, that can lead to over-collection because the requested output is a consolidated persona/profile, making it easy to sweep in more local information than necessary.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal