ClawHub

six-dimension-evolution

Security checks across malware telemetry and agentic risk

Overview

This skill is a real self-improvement framework, but it sets up recurring memory reviews that read conversation history and can send full reports externally.

Install only if you intentionally want an always-on agent memory and daily review system. Before activating it, review the exact HEARTBEAT.md changes, back up existing memory files, disable or explicitly configure Feishu delivery, and regularly inspect or delete generated memory, preference, review, conflict, and log files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (20)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The README instructs the agent to execute shell commands that inspect and modify the user's workspace, including copying files and setting activation state. For a self-improvement/evolution skill, this grants operational file-system side effects beyond merely describing a framework, and if followed automatically could change agent behavior and persistence without robust safeguards.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill explicitly instructs the agent to modify HEARTBEAT.md and register recurring scheduled tasks, which changes the agent's automation behavior beyond simple six-dimension recordkeeping. This is dangerous because it creates persistent autonomous behavior and broadens the skill's effective scope without a narrowly bounded, transparent consent flow.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The manifest presents the skill as a self-improvement/evolution framework, but the implementation also installs heartbeat workflow files and rewires the scheduler entrypoint. That mismatch is security-relevant because users may consent to note-taking or analytics while unknowingly authorizing persistent task execution and workflow expansion.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The template explicitly requires pushing the complete daily review through Feishu, which introduces external data transmission beyond a local self-improvement/memory-review function. Because the review aggregates user intent, preferences, habits, lessons, and memory-derived content, this creates a clear exfiltration path for sensitive internal state and user data.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
Triggering Feishu notifications during memory-conflict handling adds an outbound messaging behavior not necessary for core review logic. Even if intended for human oversight, it can leak conflict summaries, file paths, session references, and other sensitive metadata to an external system without a clear authorization boundary.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
A self-improvement/evolution skill does not inherently need broad external messaging, and requiring delivery of the full review is disproportionate to the stated purpose. In this context, the capability is especially dangerous because the report consolidates sensitive conversation-derived memory into a single outbound message, increasing the blast radius of any misuse or misconfiguration.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Automatic Feishu notifications for conflict events are an unjustified external capability relative to the skill's purpose of internal memory evolution. This can expose operational details and sensitive conflict records to external recipients, especially if notification routing or recipient controls are weak.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill describes automatic installation of multiple files into the workspace and behavioral activation, but does not clearly warn about file modifications, persistence, or potential overwrite/behavior-change risk in user-facing language. This can lead users to approve changes without understanding that durable memory, logging, and workflow files are being added.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The activation instructions direct file writes and copies via shell commands without explicit overwrite protections, backups, or user-visible warnings. If executed by an agent, existing files such as LESSONS.md, SUCCESSES.md, or heartbeat workflows could be silently replaced, altering future behavior and preserving data in ways the user did not intend.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs the agent to copy files into the workspace, create directories, write installation state, and update HEARTBEAT.md, but it does not provide a sufficiently explicit warning about the full set of persistent modifications. Persistent file and scheduler changes without clear upfront disclosure undermine informed user consent and can silently alter future agent behavior.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The instruction mandates sending the complete report externally without any warning, consent step, or privacy safeguard, despite the report containing user-derived memory and internal analysis. This omission increases the likelihood of accidental disclosure because operators may treat the transmission as routine and safe.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This template explicitly describes automatic gap detection, immediate recording to KNOWLEDGE_GAPS.md, and follow-on learning during heartbeat or idle periods, but it does not pair those behaviors with clear user notice, consent, or scope limits. In an agent skill, silent persistence and background activity can create privacy, autonomy, and surprise-action risks because the system may store user-derived information and initiate actions outside the current interaction.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The maintenance rules allow preference updates based on broad signals such as repeated user behavior or indirect evidence from a lessons database, which can cause the agent to infer and persist sensitive or incorrect user preferences without clear consent. In a self-improvement/evolution skill, this is more dangerous because the system is explicitly designed to accumulate long-lived user models, so ambiguous triggers can lead to privacy-invasive profiling and hard-to-correct memory contamination.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger conditions for recording a success are broad and subjective: user thanks, adopts advice, or expresses satisfaction. In a self-improvement/evolution system, this can cause the agent to treat weak or noisy signals as validated success patterns, reinforcing behaviors without rigorous verification. Over time this can poison the success library and bias future decisions based on misleading feedback.

Ssd 3

Medium
Confidence
96% confidence
Finding
The skill promotes detailed per-skill logging and persistent extraction of 'valuable information' from user interactions into memory files. This creates a broad retention pipeline for potentially sensitive user data, preferences, and historical activity without any minimization, redaction, retention limit, or consent model.

Ssd 3

Medium
Confidence
97% confidence
Finding
The daily review workflow explicitly instructs the agent to read prior memory, extract valuable user information, update core memory, and generate reports, forming an ongoing persistent data-processing loop. In context, this materially increases privacy risk because the skill's purpose is long-term adaptation, making user profiling and retention central rather than incidental.

Ssd 3

Medium
Confidence
91% confidence
Finding
The skill establishes ongoing collection of lessons, successes, decisions, preferences, and related user-interaction data into persistent files. This is dangerous because it normalizes long-term retention and profiling of user behavior without a clear data-minimization policy, retention boundary, or explicit consent for sensitive preference/memory storage.

Ssd 3

Medium
Confidence
92% confidence
Finding
The daily review workflow instructs the agent to read memory files from prior conversations and update a consolidated memory file, creating an automated pipeline for cross-session persistence. This increases privacy risk because prior interaction data may be repeatedly reprocessed, summarized, and amplified without per-session approval or clear limits on what should be retained.

Ssd 3

Medium
Confidence
90% confidence
Finding
The heartbeat rules require generating a session summary even when there was no meaningful interaction, which institutionalizes routine session logging regardless of necessity. This is risky because it promotes indiscriminate persistence and metadata accumulation, making it easier to build unnecessary user activity histories over time.

Ssd 3

Medium
Confidence
96% confidence
Finding
The daily review includes accumulated user preferences, habits, lessons, decisions, and knowledge gaps, and the template requires sending the full contents in plain language via Feishu. That creates a direct sensitive-data disclosure risk, since memory-derived and conversation-derived information may be exposed to third parties or broader audiences than intended.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal