ClawHub

Wanng Ide Auto Skill Hunter

Security checks across malware telemetry and agentic risk

Overview

This skill is designed to find and install other skills, but it needs Review because it can inspect private agent history, install and test new code, and send reports outside the local environment.

Install only after reviewing whether you want this skill to read prior agent conversations and memory files, modify the local skills directory, and run self-tests for newly installed skills. Use --dry-run first, set SKILL_HUNTER_NO_REPORT=1 unless external reporting is explicitly acceptable, avoid scheduled --auto runs in sensitive environments, and manually review candidate repositories before allowing live installation or execution.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (16)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill reads broad local context sources including USER.md, personality state, task memory, and recent session JSONL files to drive autonomous decisions. This creates unnecessary access to sensitive cross-session data and expands the blast radius because the same data later influences external searches, reports, and installation actions.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill exceeds its stated discovery/install role by executing installed code for validation and sending an external report. Combining code execution with outbound reporting turns a package discovery helper into a capability-expanding agent that can run untrusted code and disclose internal state without clear user approval.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
validateRunnableSkill executes node "index.js" --self-test inside newly installed skills, including content cloned from remote repositories. That is direct execution of untrusted code from an external source, which can lead to arbitrary command execution, persistence, data theft, or lateral modification of the agent environment.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly describes mining recent conversations, session logs, and task memory to derive unresolved problems, but it does not present a clear consent, minimization, retention, or privacy boundary. In a skill designed for proactive scheduled operation, this creates a real risk of collecting and processing sensitive user data without user awareness, especially if logs contain credentials, personal data, or confidential business context.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The README mentions that external report sending can be disabled, which strongly implies recommendations or derived results may be transmitted off-system, but it does not clearly disclose destination, contents, triggers, or safeguards. Because the skill mines user conversations and task context, external reporting could leak sensitive operational or personal information beyond the local environment.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The activation criteria are broad enough that the skill may run in many ordinary situations without clear necessity. Because this skill can install and execute external code and inspect session context, ambiguous triggering materially increases the chance of unintended high-risk actions.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The 'When to Use' guidance permits invocation based on vague patterns like recurring issues or timer-based growth, without defining scope, consent, or stopping conditions. In a skill that reads memory and modifies the local skill set, this ambiguity can cause unnecessary data processing and unreviewed system changes.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill states it extracts signals from recent chats and profile/personality data for ranking, but does not provide a clear privacy notice, consent model, or data minimization policy. This is dangerous because sensitive user content and inferred profile data may be processed and potentially included in outbound searches or reports without adequate transparency or control.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The manifest description explicitly says the skill acts 'autonomously' to discover and install skills based on broad signals like unresolved user problems and capability gaps. That creates an overly permissive activation scope for a high-risk behavior—installing new code-like capabilities—without clear user confirmation boundaries, making unintended or unsafe tool expansion more likely. In this context, the danger is elevated because the skill is for proactive skill discovery and installation, so vague triggering language can cause the agent to initiate supply-chain-affecting actions when the user did not clearly request them.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill clones arbitrary remote repositories and writes files into the local skills directory without an explicit confirmation gate. In an agent environment, silent installation of remote code materially changes the local execution surface and can prepare later code execution or persistence.

Ssd 3

Medium
Confidence
93% confidence
Finding
The skill is marketed as using unresolved problems from recent conversations plus profile/personality signals to drive autonomous discovery and installation decisions. That behavior constitutes ongoing secondary use of user data beyond the immediate conversation purpose, and in the absence of strong consent and scope limits it can expose sensitive preferences, work patterns, or private context.

Ssd 3

Medium
Confidence
94% confidence
Finding
The README frames mining session logs and recent user messages as a core automated pipeline, including scheduled patrol behavior. Continuous automated processing materially increases privacy risk because sensitive data may be repeatedly ingested and repurposed without fresh user intent, especially in shared or enterprise environments.

Ssd 3

Medium
Confidence
98% confidence
Finding
The feature explicitly states it reads recent user messages from session JSONL files, which is direct access to stored conversation history. This is particularly dangerous because session files may contain secrets, personal data, internal strategy, or regulated information, and the README provides no indication of sanitization, access control, or least-privilege handling.

Ssd 3

Medium
Confidence
96% confidence
Finding
The skill harvests recent user session content from multiple JSONL session files and uses it as search/report context. This creates a cross-context data leakage path where unrelated prior user inputs can influence external requests and reporting, potentially exposing sensitive information without user awareness.

Ssd 3

Medium
Confidence
92% confidence
Finding
Task memory bullets matching problem patterns are pulled into the workflow and later echoed in reports. Because task memory can contain sensitive user-provided details, this creates a disclosure channel from stored internal notes into visible outputs or external reporting systems.

Ssd 3

Medium
Confidence
97% confidence
Finding
The generated report includes recent problem summaries derived from prior user messages and task context, and sendHunterReport then forwards that report externally. This normalizes exfiltration of historical user content to an external reporting channel, increasing privacy and confidentiality risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal