ClawHub

tpr-framework

Security checks across malware telemetry and agentic risk

Overview

This is mostly a documented planning workflow, but it also tells agents to persist session history, intercept reset commands, and run or update external code in ways users may not expect.

Install only if you are comfortable with a workflow skill that writes project records to disk, may pass transcripts to sub-agents, and recommends external execution tooling. Before using it, disable or ignore the update-daemon and reset-hook behavior, review any Ralph Loop scripts before running them, pin trusted versions where possible, and choose a dedicated project directory that does not contain secrets or unrelated private files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (17)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
Intercepting user `/reset` or `/clear` commands in order to force a post-hoc write to persistent files undermines the user's expectation of session reset and can preserve conversation-derived data against user intent. This creates a retention and consent problem, especially if sensitive project details, user preferences, or prior prompts are summarized into durable workspace memory.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
This section instructs users or downstream agents to clone a remote repository and download executable shell scripts via curl, then mark them executable. That expands the skill from planning/analysis into supply-chain and code-execution territory, creating a path for unreviewed external code to be fetched and run in the local environment.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The document defines a workflow that generates prompts, initializes state, and launches an autonomous or executor loop for a coding agent. Even if framed as process guidance, this materially broadens the skill's behavior from TPR decision support into operational control of an agent that can modify files and continue iterating, increasing the chance of unintended actions or prompt-to-action escalation.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The file adds hidden update-checking and self-modification behavior to a skill described as a structured thinking/decision-support framework. That capability is outside the stated purpose of the skill and can cause the agent to execute local scripts and change its own installed content without clear user awareness or consent, expanding the attack surface significantly.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Instructing the agent to run a local update-check script and later perform `git pull origin main` gives a reasoning skill unnecessary code-execution and self-updating powers. If the local script, repository, or upstream source is compromised, the skill can be altered remotely and persist new malicious behavior without a proper trust or verification model.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README instructs users to download multiple files directly from a remote repository and then make shell scripts executable, but it does not tell users to verify integrity, pin to a commit, or review the scripts before use. That creates a supply-chain risk: if the upstream repository, branch, or network path is compromised, users may run attacker-controlled code on their systems.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The documentation explicitly tells users to execute downloaded shell scripts with bash, but it does not disclose that these scripts can modify files, environment state, or system/project configuration. In a skill installation context, this is more dangerous because users are primed to trust setup instructions and may run the commands without inspection.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The activation triggers are broad and include generic situations like 'structured analysis complex problems,' project kickoff, drafting/reviewing plans, and 'systematic thinking before decisions.' This can cause the skill to activate for many unrelated requests, effectively overriding more specific skills or steering the agent into an imposed methodology the user did not request, which is a prompt-scope control issue rather than a direct code-execution risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The sub-agent templates instruct writing to project files (`BATTLE-R{round}-*.md`) and modifying `GRV.md` without requiring explicit user approval, dry-run behavior, or any safety boundary on filesystem changes. In an agent skill, that can cause unauthorized workspace mutation, overwrite existing project artifacts, and let a review workflow make persistent changes merely from following documentation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill directs automatic writes into the local workspace and generation of additional HTML artifacts without requiring a contemporaneous user-facing warning or confirmation before modification. In an agent environment, silent filesystem changes can surprise users, overwrite project content, or create unintended derivative files that expose sensitive material in alternate formats.

Missing User Warnings

Low
Confidence
93% confidence
Finding
Persisting self-improvement records in workspace files without clearly warning the user means conversation-derived operational history may be stored longer than expected. Even if intended for quality improvement, these records can accumulate sensitive snippets, failure details, or task metadata and create unnecessary data retention risk.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The document repeatedly instructs the agent to write files to local directories and mark completion, but it does not consistently require explicit user confirmation immediately before data-affecting actions. In an agent skill, this can normalize filesystem modification as part of the workflow and lead to unintended writes, overwrites, or disclosure of local path information if the agent acts without a fresh consent boundary.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The workflow explicitly creates and forwards a complete TRANSCRIPT.md between agents and to the client without any minimization, redaction, classification, or consent step. In this skill context, discovery interviews are likely to contain sensitive business, personal, or credential-like information, so broad internal propagation increases privacy leakage and unnecessary data exposure risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document recommends bridging into an external Ralph Loop skill or other coding agents for real execution of code, scripts, or deployment, but does not require a safety review, sandboxing, permission boundaries, or user warning about system impact. In this context, the framework is explicitly designed to move from planning into implementation, so the lack of execution safeguards materially increases the chance of unsafe code execution, destructive changes, or unintended deployment actions.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The markdown directs the agent to execute shell commands that run a local script and modify the installed framework, but it does not require a clear warning before doing so. This is dangerous because users may receive responses influenced by unannounced code execution or have their environment changed without informed consent.

Ssd 3

Medium
Confidence
97% confidence
Finding
The instruction to preserve conversation-derived experience into persistent memory when the user issues `/reset` or `/clear` conflicts with the user's apparent intent to discard context. This creates a data-survivability issue: sensitive content can remain in `patterns.md` or related files even after the user attempts to clear state, which is especially risky in a multi-project workspace.

Ssd 3

Medium
Confidence
86% confidence
Finding
The file instructs agents to write micro T/P/R outputs into an execution log or `self-improving/corrections.md`, which can create persistent storage of user-derived context, operational details, and possibly sensitive project data. In agent frameworks, persistent plain-text logs often outlive the task boundary and may later be read by other agents, surfaced to users, or retained without minimization, increasing privacy and data-leak risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal