ClawHub

Feedback Learning

Security checks across malware telemetry and agentic risk

Overview

This skill is local and purpose-aligned, but it stores raw feedback and automatically turns repeated feedback into persistent rules that can affect future agents.

Install only if you want persistent shared feedback memory for agents. Before enabling the AGENTS.md hooks or cron jobs, scope the learning directory per project or agent, review genes.json before agents use it, add expiry or deletion for old events, and avoid logging secrets or sensitive user text.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs agents to append user feedback, trigger text, context, and hints directly into a persistent event log without any minimization, redaction, retention limit, or warning. Because the inputs are user-provided and may contain secrets, personal data, or prompt-injection text, this creates a durable data leakage and privacy risk that can later taint reports or downstream automation.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script persistently logs user-supplied context, signals, and hints into a shared file under $HOME without any consent, notice, retention control, or data minimization. In a feedback-learning skill, those fields can easily contain sensitive user content, operational context, or private prompts, so silent accumulation creates a privacy and data-exposure risk even though the write is intentional and not overtly malicious.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal