ClawHub

reflexion

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed local memory system for coding-agent errors and corrections, but it should only be enabled where automatic local capture and recall are acceptable.

Install only in projects where automatic local memory is acceptable. Prefer project-level hooks over global hooks, add `.reflexion/` to `.gitignore` for private work, review captured entries and promoted rules periodically, and avoid enabling it around secrets or sensitive command output unless you narrow or disable the hooks.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill clearly instructs the agent to read and write project files such as `.reflexion/entries/`, `.reflexion/index.txt`, and `CLAUDE.md`, yet no explicit permissions are declared. This mismatch matters because the skill persists data and modifies prompt-governing files, so operators may not realize it has durable file-system side effects.

Vague Triggers

Medium
Confidence
77% confidence
Finding
The activation guidance is very broad: 'errors occur,' 'user corrects the agent,' 'non-obvious solution,' and 'before starting tasks in areas with past learnings' could apply to many normal coding sessions. Over-broad activation increases unnecessary collection and reuse of context, which expands the chance of inappropriate logging, retrieval, or behavioral steering from stale entries.

Vague Triggers

High
Confidence
96% confidence
Finding
The `UserPromptSubmit` hook is configured with an empty matcher, so recall runs on every user prompt without constraint. That enables automatic prompt-time injection from stored memory into arbitrary future conversations, which can expose prior project context or let poisoned entries influence unrelated tasks.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill describes automatic injection of prior entries into prompt context but does not provide a clear warning, consent flow, or sensitivity boundary for what may be surfaced. Even if secrets are partially redacted, entries can still contain confidential project details, user corrections, paths, commands, or operational context that may be exposed in later prompts.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The empty matcher on the UserPromptSubmit hook causes the recall script to run for every user prompt without restriction. In a skill that automatically captures and recalls prior context, this broad trigger increases the attack surface for unintended command execution, excessive data collection, and prompt-coupled side effects on every interaction.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The guide instructs users to install automatic hooks that invoke capture and recall scripts on every Bash tool use and user prompt submission, but it provides no consent, minimization, retention, or redaction guidance. Because these hooks process potentially sensitive commands, outputs, and prompt content, they can persist secrets, proprietary code context, or personal data into local project memory without users fully understanding the privacy implications.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This hook automatically writes tool output and the executed command into project-local files under .reflexion whenever an error pattern is detected, but the file itself provides no explicit user-facing notice or consent gate before persisting that data. Even with partial redaction, command output commonly contains sensitive material such as file paths, source snippets, stack traces, tokens that do not match the regexes, or proprietary project context, so silent persistence increases confidentiality and privacy risk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script silently appends content to CLAUDE.md and mutates per-entry JSON/state files as part of its normal operation, with no interactive confirmation or explicit user-facing notice at the point of action. In an agent skill that auto-learns from prior activity, this is security-relevant because untrusted or mistaken resolutions can be persistently written into project guidance, influencing future agent behavior and making prompt/data poisoning more durable.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This hook reads user-supplied prompt text, searches stored memories based on it, and emits the results as system-context injection without any disclosure or trust boundary. Because the recalled content comes from prior entries and is inserted at a higher-priority context level, an attacker can influence future agent behavior through prompt shaping or by poisoning the memory store, making this a real prompt/context-injection risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal