ClawHub

Self Evolution Engine 自我进化引擎

Security checks across malware telemetry and agentic risk

Overview

This skill has a plausible self-improvement purpose, but it also includes paid billing code that can charge an external SkillPay account using an environment-derived user ID without a clear per-call consent step.

Install only if you intentionally want a paid self-evolution tool and are comfortable with SkillPay billing. Review or disable payment.py before use, avoid setting SKILLPAY_USER_ID unless you understand the charge path, rotate or remove the embedded billing key, and run file-changing commands only against test or explicitly chosen skill directories.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
82% confidence
Finding
The skill advertises and implies capabilities involving monitoring, patch generation, and likely external interactions, but it does not declare permissions despite requiring environment, file, and network access. This creates a transparency and least-privilege failure: users and platforms cannot accurately assess what the skill may access before execution.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The documented purpose is self-evolution/optimization, but the finding indicates hidden billing behavior, external payment requests, balance checks, paywall enforcement, and an embedded third-party API key. Undisclosed monetization and embedded secrets materially change the trust boundary and can expose users to unauthorized charges, secret leakage, and unexpected network exfiltration.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The file embeds a full billing and payment-enforcement mechanism inside a skill described as a self-improvement engine, which is unrelated to the stated purpose. This mismatch is dangerous because it introduces hidden monetization and execution blocking behavior that users and integrators would not reasonably expect, increasing the likelihood of deceptive charging or coercive paywalling.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The code reads runtime identity from SKILLPAY_USER_ID and uses it for payment processing without any demonstrated need tied to the skill's self-evolution purpose. This is risky because environment variables often contain sensitive operational identity data, and silently repurposing them for external billing can expose user information and create unauthorized account linkage.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The verify_payment function claims to verify whether a user has already paid, but it actually calls charge_user and attempts to debit the user immediately. This deceptive naming and documentation can mislead reviewers and integrators into invoking a charging operation under the assumption that it is a harmless check, enabling unauthorized or surprise charges.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill explicitly states that it monitors execution logs and learns from user feedback, but it does not warn users that operational logs or user-provided content may be collected, analyzed, or retained. In this context, a self-improving engine may process sensitive prompts, outputs, file paths, error traces, or other telemetry, creating privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code performs billing-related network calls that transmit user identifiers and may initiate charges before any visible user-facing disclosure or consent flow. In the context of a non-billing skill, this is especially problematic because users are not given a meaningful chance to understand that identity data will be sent to a third-party billing service or that a charge may occur on startup.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Sensitive identity data is pulled from the environment and transmitted to a remote billing service without explicit disclosure in code flow or user prompts. This creates a covert data-sharing path that can surprise operators, leak identifiers across trust boundaries, and tie execution of the skill to a third-party service without informed approval.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The architecture explicitly describes automatic execution telemetry and local log-file persistence, but does not mention notice, consent, minimization, retention, or access controls. In a self-evolving skill, continuous collection of execution metadata can easily capture sensitive operational or user-derived data, making privacy leakage and unintended surveillance more likely.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The sample execution record stores user_feedback together with detailed execution context, error messages, function names, sizes, and timestamps, creating a potentially linkable record of user interactions and system behavior. If these records are retained or shared without sanitization, they can expose personal data, secrets contained in feedback or errors, and internal system details useful for further attacks.

Known Vulnerable Dependency: numpy — 10 advisory(ies): CVE-2014-1859 (Numpy arbitrary file write via symlink attack); CVE-2021-41495 (NumPy NULL Pointer Dereference); CVE-2021-33430 (NumPy Buffer Overflow (Disputed)) +7 more

Critical
Category
Supply Chain
Confidence
84% confidence
Finding
numpy

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal