ClawHub

MCU Persona Distiller Framework

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent persona-building and publishing framework, but its publish script can use GitHub credentials, create public repositories, and force-push changes without enough user safeguards.

Review scripts/publish.sh before running it. Use a least-privilege or temporary GitHub token, avoid the default both target unless you intend to publish externally, remove token-bearing remotes afterward, and consider replacing the force push and global git config changes with safer scoped commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
This block creates or updates remote GitHub repositories and performs a forced push, which is a strong remote-modification capability with destructive potential. In the context of an agent skill, this exceeds passive content generation and can overwrite existing repositories if the slug or account context is wrong.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The script consumes authentication tokens for GitHub operations without prominently warning the user that credentials will be used for networked repository actions. In agent or automation contexts, silent token use increases the risk of users invoking privileged operations without understanding the scope.

Missing User Warnings

High
Confidence
99% confidence
Finding
Using git push --force without confirmation can irreversibly rewrite remote history and destroy existing repository state. This is especially dangerous in a publishing skill because users may expect a simple upload, not a destructive overwrite of prior content.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script transmits data to GitHub and ClawHub as part of publishing, but the user-facing output does not clearly disclose that local generated content and metadata will be sent to external services. Lack of transparency can lead to accidental exfiltration of generated or unintended local output.

Natural-Language Policy Violations

Medium
Confidence
92% confidence
Finding
The template hard-codes language behavior from the user's first message, removing ongoing user choice and potentially causing unintended disclosure or exclusion if the initial message language was accidental, mixed, or proxy-generated. While this is not a classic security flaw, it is a genuine safety/privacy issue because it can mis-handle user intent and lock the interaction into an inferred preference without confirmation.

VirusTotal

No VirusTotal findings

View on VirusTotal