ClawHub
Back to skill

Security audit

自我提升助手

Security checks across malware telemetry and agentic risk

Overview

This skill is not overtly malicious, but it is a broad self-improving system that can learn from many interactions, store memories, and modify skill behavior with limited safeguards.

Install only if you deliberately want a cross-skill memory and self-improvement system. Keep optional hooks disabled unless reviewed, avoid using it on sensitive projects, require manual review for every memory or skill-file write, and periodically inspect or delete stored memory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (13)

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The file states that errors trigger self-correction, but the manifest comments and configured hooks only log errors. This mismatch can mislead operators into believing failures are automatically contained or repaired, causing unsafe reliance on a mechanism that does not actually exist.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The documented manual trigger phrases include broad, natural-language commands such as '总结教训' and '改进 [技能名称]' that could plausibly appear in normal conversation or unrelated workflows. In a self-improving agent that learns from all skill experiences and can modify behavior based on past interactions, ambiguous invocation increases the risk of unintended activation, causing unexpected analysis, memory writes, or self-modification actions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The hooks description states that pre-tool, post-bash, and session-end scripts are present, and the sample configuration shows they receive tool names, tool input, tool output, and exit codes, but the documentation does not warn users that potentially sensitive command data and session artifacts may be captured and processed. For a memory-driven self-improving skill, this omission is security-relevant because users may unknowingly expose secrets, proprietary code, or sensitive operational context to persistence or downstream processing.

Vague Triggers

High
Confidence
94% confidence
Finding
The README defines automatic triggering after essentially any skill completion, creating an extremely broad execution surface for a self-improving component that can update skills and consolidate memory. In this skill’s context, that broad scope is especially dangerous because it amplifies unintended propagation of bad patterns, unauthorized modifications, and silent collection of cross-skill data.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The description emphasizes learning and automatic updates but does not clearly warn users that the skill may persist memory data and modify other skills. That omission undermines informed consent and safe deployment, especially for a tool that operates across all skill interactions and changes the codebase over time.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The manual triggers are broad and ambiguous, allowing activation from vague phrases without clear scoping or confirmation. In a skill that can write files, update other skills, and persist memory, loose activation conditions increase the chance of unintended execution and unauthorized changes.

Missing User Warnings

High
Confidence
93% confidence
Finding
The skill description emphasizes learning and automation but does not clearly warn users that it may update skill files and persist session-derived memory. This undermines informed consent and can lead users to expose sensitive data or permit repository modifications they did not realize would occur.

Ssd 3

Medium
Confidence
91% confidence
Finding
Stating that the agent learns from every skill interaction establishes a broad data collection behavior that can capture sensitive prompts, outputs, and operational context in natural language. In a cross-skill self-improving system, this creates real privacy and compliance risk because users may not expect their interactions to be retained and reused.

Ssd 3

Medium
Confidence
95% confidence
Finding
The memory design explicitly stores episodic experiences and working session context under a user-accessible filesystem path, which can lead to retention of secrets, proprietary content, and personal data in plain text. Because this skill is intended to absorb information from all skills, the memory store can become a concentrated repository of sensitive data and a high-value target.

Ssd 3

High
Confidence
98% confidence
Finding
The optional hooks pass tool input, tool output, and exit/session data into shell commands, directly enabling broad capture of potentially sensitive content and increasing the chance of logging secrets or regulated data. In this skill’s context, those hooks are particularly risky because they operationalize continuous surveillance across command execution and file-modification workflows.

Ssd 3

Medium
Confidence
92% confidence
Finding
Instructions to learn from every interaction and auto-log session/tool context create a broad data retention surface. In practice, this can capture secrets, proprietary code, credentials, prompts, and user-sensitive material far beyond what is necessary for skill improvement.

Ssd 3

Medium
Confidence
95% confidence
Finding
The experience extraction and episodic memory sections instruct storing task details, feedback, root causes, and session context in local memory files. This can accumulate sensitive operational history and user data over time, creating both privacy risk and a valuable target for later exfiltration or misuse.

Ssd 3

High
Confidence
98% confidence
Finding
The hook configuration passes raw tool input and output into shell scripts, which enables broad capture of user prompts, command arguments, file contents, execution results, and potentially credentials or tokens. Because this happens around Bash, Write, and Edit operations, the exposure is especially dangerous and could leak highly sensitive repository and runtime data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal