ClawHub

Ghost Catalog

Security checks across malware telemetry and agentic risk

Overview

Ghost Catalog mostly does local file cataloging as advertised, but the package also bundles a separate meta-skill that can inspect and edit other installed skills, which is broader than the cataloging purpose.

Install only after reviewing whether you want both Ghost Catalog and the bundled improve-skill. Use it in a version-controlled workspace, configure .ghost_ignore before scanning, keep secrets and private data out of scope, and require explicit review before any tag, report, database update, or skill-file modification.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill is framed as an evaluator, but it also instructs itself to edit another skill and rerun it. That expands it from analysis into modification of trusted system behavior, creating an unnecessary write-capable path that could be used to change prompts or capabilities without explicit, narrowly scoped approval.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
Allowing a meta-skill to alter other installed skills is broader than its stated purpose and creates a supply-chain-style risk inside the agent environment. If misused or triggered inappropriately, it could silently weaken guardrails, change auto-invocation behavior, or introduce unsafe instructions into multiple downstream skills.

Vague Triggers

Medium
Confidence
88% confidence
Finding
Defaulting to a full workspace scan on bare invocation creates overly broad behavior that may inspect many files the user did not explicitly intend to process. In a local-file skill, this can expose sensitive project contents in summaries or trigger unintended enumeration of large repositories, especially because the skill is user-invocable and designed to traverse the filesystem.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill includes workspace-modifying operations such as prepending headers to files and writing a markdown report, but it does not prominently warn users that these actions change repository contents. This increases the risk of accidental file modification, noisy diffs, broken file semantics in edge cases, or compliance/report artifacts being written without informed consent.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The auto-invocation guidance uses broad phrases like asking what files are in a project or about file organization, which can cause the skill to trigger in many normal repository conversations. Because this skill can scan the workspace and also modify files in later flows, overly broad invocation increases the chance of unintended enumeration or steering users into a file-mutating workflow they did not explicitly request.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill describes tagging behavior that prepends headers directly into files, but the documentation does not prominently warn at the top-level that invoking the skill may alter source files. This creates a consent and integrity risk: a user may invoke what appears to be a cataloging utility and unintentionally modify code, configs, or other sensitive project files, potentially breaking formats or workflows.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The auto-invocation triggers use vague everyday phrases like 'that didn't work right' and 'how can we make this better,' which can cause the skill to run when the user did not intend to authorize a broad evaluation of installed skills. In this case, the risk is amplified because the skill can proceed from evaluation into editing other skills.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The description defines usage in overly broad terms such as whenever a skill feels incomplete or produces suboptimal results, which makes invocation boundaries ambiguous. Ambiguous activation criteria increase the chance that the skill is selected in normal troubleshooting conversations and then gains visibility into skill definitions and project context unnecessarily.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal