ClawHub

skill-deep-audit

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only skill auditor with purpose-aligned reads, report creation, and opt-in fixes, but its read-only wording is overstated.

Install only if you are comfortable with the agent reading the target skill directory and creating an audit report inside it. Do not treat the default audit as strictly no-write: it writes AUDIT files and may leave syntax-check cache files. Use --fix only after reviewing the report, because it can change skill files, though it requires a backup and user authorization.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The README makes a materially misleading safety claim: it says the auditor is read-only by default, yet also states it writes `AUDIT-{YYYY-MM-DD}.md` into the audited skill directory. In an agent setting, this contradiction can cause unintended modification of user repositories, break assumptions about safe dry-run behavior, and undermine trust in guardrails around write operations.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
This is the same underlying safety contradiction restated in the red-lines section: the document claims the audit never modifies audited files, but elsewhere instructs creation of a markdown artifact inside the target path. Conflicting invariants around mutation are risky in automated agents because operators may approve execution under a false belief that no filesystem writes occur.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill repeatedly claims normal audit operation is read-only, yet the standard workflow requires writing an AUDIT report into the audited skill directory. This breaks the stated safety boundary and can cause unintended modification of user files, especially when the audited directory is treated as immutable, version-controlled, or security-sensitive.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The documentation contains a direct contradiction: it promises read-only/report-only behavior, then later mandates creation of a report file during that same normal audit path. This inconsistency is dangerous because operators and downstream agents may rely on the read-only guarantee and invoke the skill in contexts where any write is prohibited.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The trigger list uses broad natural-language phrases like 'audit a skill' and 'is this skill ready to ship,' which can overlap with ordinary user requests and cause unintended activation. In an agent environment, overbroad triggers increase the chance the skill runs unexpectedly and performs file reads or writes without the user realizing this specific skill has been engaged.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill requires writing an audit report file during normal operation, but the behavior summary emphasizes read-only semantics and does not prominently warn users up front that their files will be modified. This weakens informed consent and can surprise users in environments where any write is operationally sensitive.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The template instructs the audited skill to tell users to reply with a generic trigger word, "fix", to start a one-click modification workflow. Because the trigger is short and common in normal conversation, an agent may misinterpret incidental user text as consent to perform file-changing actions, increasing the risk of unintended writes despite the stated backup behavior.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The template describes a one-click fix flow but does not define strict preconditions for when the fix action may activate, such as requiring an existing report, a matching session state, scope validation, and explicit user confirmation tied to that report. In an agent setting, ambiguous activation conditions can let unrelated user replies or prompt injection steer the system into modification mode.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal