ClawHub

Skylv Self Healing Agent

Security checks across malware telemetry and agentic risk

Overview

This self-healing skill is not clearly malicious, but it can run arbitrary shell commands and apply fixes automatically with weak boundaries.

Install only if you are comfortable giving the skill command-execution and local repair authority. Prefer using it in dry-run or analysis-only mode, review every proposed change, avoid production or sensitive repositories, and do not pass untrusted command strings to watch mode.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill advertises capabilities that imply network access and command execution, but it does not declare permissions or boundaries. That creates a transparency and policy-enforcement gap: users or platforms may authorize the skill under weaker assumptions than its actual behavior, increasing the chance of unintended external access or misuse.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The documented behavior materially differs from the described purpose: beyond repair suggestions, it can watch and run arbitrary shell commands, persist learned patterns, and expose broader automation features. This mismatch is dangerous because users may invoke the skill expecting passive diagnosis while actually enabling execution and state-changing behavior, which raises command-injection, unsafe automation, and trust-boundary risks.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Watch mode passes attacker-controlled or user-supplied text directly into execSync, which invokes a shell and allows arbitrary command execution. In an agent skill context, this is especially dangerous because upstream prompts, logs, or workflow state could influence the command string, expanding the skill from diagnostics into unrestricted code execution.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The README describes the skill as acting when an AI agent hits 'an error' without defining boundaries on what kinds of errors are in scope, what systems may be touched, or what actions are prohibited. In a self-healing agent, this broad trigger can cause over-application of automated remediation to unrelated failures, increasing the chance of unsafe command execution or unintended modifications.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README markets the tool as automatically detecting and repairing agent workflow errors, but it does not clearly warn users that fixes may modify code, configs, commands, or runtime state. That omission is dangerous because users may invoke the skill expecting passive diagnostics when it is actually capable of making changes, which can lead to integrity, availability, or operational safety issues.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The watch mode example shows the tool running an arbitrary command with self-healing monitoring, but the README does not warn that this involves subprocess execution plus potential automatic remediation based on observed failures. In this context, the combination of command execution and auto-fix behavior materially raises risk because users may expose local systems or projects to unintended command chaining, retries, or state-changing repairs.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger keyword "debug" is so broad that it may activate this skill in unrelated contexts. Because the skill is positioned to diagnose, watch commands, and potentially auto-apply fixes, accidental invocation could lead to unintended monitoring, execution, or workflow changes when a user only wanted general debugging help.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The description promises automatic fix application without prominently warning that fixes may involve code, file, or command changes. In a self-healing context, that omission is risky because users may not realize the skill can alter local state or execute repair flows, leading to unsafe trust and insufficient review before changes occur.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The usage examples normalize auto-heal and command-watching behaviors without a clear warning about monitoring command output or performing automated repair actions. Examples strongly shape operator expectations, so presenting high-risk actions as routine can cause users to run them without understanding the security and reliability implications.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The tool runs arbitrary shell commands in watch mode without meaningful warning, restriction, or safety boundary. Even if intended as a convenience feature, in a self-healing agent this broad subprocess capability can be repurposed to execute destructive local commands, exfiltrate data, or chain with prompt/argument injection.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
2. **Root Cause Diagnosis** — Matches against known fix pattern database
3. **Auto-Fix Application** — Applies fixes when confidence ≥ 85%
4. **Pattern Learning** — Learns new patterns from user corrections
5. **Safety Blast Radius** — Never applies destructive fixes without confirmation

---
Confidence
90% confidence
Finding
without confirmation

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal