ClawHub

Aidlc

Security checks across malware telemetry and agentic risk

Overview

This is a coherent software-development workflow skill, but it requires broad workspace scanning and persistent verbatim logging of user input, which can retain sensitive data unexpectedly.

Install only if you are comfortable with the agent scanning the repository and creating or updating many workflow files. Before use, ask it not to record raw user messages, secrets, credentials, tokens, private URLs, or proprietary snippets in audit.md, and scope it to a dedicated repository or branch so generated state and documentation are easy to review before committing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (14)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The file gives contradictory instructions: it first tells the agent to present an inline multiple-choice welcome-back prompt in chat, then later mandates that multiple-choice questions must not be placed inline and should instead be written to .md files. This ambiguity can cause inconsistent agent behavior, including bypass of the intended control flow and confusing or unsafe UX around how prompts and stateful interactions are recorded.

Vague Triggers

High
Confidence
95% confidence
Finding
The trigger phrases are extremely broad (for example, generic requests like starting a project, new feature, bug fix, or refactoring), which makes accidental invocation likely during ordinary development conversation. In an agent skill, overbroad activation is dangerous because it can cause the agent to enter a high-authority workflow that writes files, scans the workspace, and logs user input without the user intentionally opting in.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill mandates that all user input be logged verbatim to an audit file, but it provides no user-facing disclosure, consent flow, minimization rule, or exclusion for secrets and sensitive data. This creates a clear privacy and security risk because users commonly paste credentials, internal code, incident details, or personal data into development chats, and the skill would persist that data in workspace artifacts.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The instruction to always log the continuity prompt to audit.md directs the agent to modify project files without requiring explicit user awareness or consent. In a development workflow skill, silent writes can create privacy, compliance, and integrity issues by persisting conversation-derived content into repositories or workspaces unexpectedly.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill mandates automatic reading of a broad set of project artifacts, including code files and prior design documents, without any privacy or scope warning. In an agent skill that resumes development work, this can over-collect sensitive source code, credentials, internal architecture, or unrelated repository data beyond what the user expects for the immediate task.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to generate build documentation that includes environment-variable setup and credential configuration examples, but it provides no safeguards against exposing secrets in plaintext, logs, generated markdown, or shell history. In an AI-assisted workflow, this increases the chance that users or downstream agents will place real credentials directly into project docs or commands, creating avoidable secret leakage risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill directs the agent to create and update many files across the workspace, including state-tracking artifacts, without requiring an explicit upfront warning before modifications begin. In an agentic environment, this can lead to surprising filesystem writes, accidental overwrites of user content, and reduced user control over workspace changes, especially because the workflow is framed as mandatory and rerun-on-detection.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The workflow directs the agent to create and update several persistent files, including planning/state/audit artifacts, without any guidance to minimize, redact, or warn about sensitive data handling. In a development workflow, users may paste credentials, internal architecture details, incident context, or proprietary requirements, which can then be unnecessarily retained across files and exposed to later readers or tools.

Missing User Warnings

High
Confidence
98% confidence
Finding
This step explicitly instructs logging the user's COMPLETE RAW response into an audit file without notice or filtering. Raw responses can contain secrets, personal data, source code, internal URLs, credentials, or regulated information; storing them verbatim creates a direct retention and secondary disclosure risk if the workspace is shared, committed, indexed, or later processed by other agents.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to create `aidlc-docs/aidlc-state.md` automatically as part of workspace detection, which is a write operation to the user's filesystem without any explicit notice or consent checkpoint. In an agent setting, silent modification of the workspace can surprise users, pollute repositories, and trigger downstream automation or commits, especially because the file records absolute paths and project metadata.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explicitly says to proceed with scanning and stateful workflow advancement with 'No user approval required', despite performing workspace inspection and potentially writing state information. Removing the approval boundary makes the behavior more dangerous in this context because the skill is designed to run at project start, when users may not expect automatic reads/writes across the repository.

Ssd 3

High
Confidence
99% confidence
Finding
This is a true sensitive-data exposure issue because the workflow explicitly requires retention of every user message in raw form inside `aidlc-docs/audit.md`. In the context of a development skill that encourages detailed requirements, bug reports, and code discussion, this materially increases the chance of storing API keys, proprietary source fragments, security findings, and personal information in a durable artifact that may later be committed, shared, or leaked.

Ssd 3

Medium
Confidence
98% confidence
Finding
The instruction to log the user's complete raw approval input into an audit file can unnecessarily retain secrets, credentials, personal data, or proprietary information that the user may include in their response. Because approval text is free-form and the logging is mandatory, this creates a durable sensitive-data exposure risk without clear minimization or need-to-know limits.

Ssd 3

Medium
Confidence
97% confidence
Finding
The natural-language instruction to retain the user's full raw response in an audit log creates a clear data retention vulnerability even without executable code. Because this skill is an AI-driven software-development workflow, the surrounding context makes the issue more dangerous: users are especially likely to provide sensitive implementation details, bug reports, stack traces, secrets, and business context during planning and approval steps.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal