ClawHub

Agent Config

Security checks across malware telemetry and agentic risk

Overview

This skill is not malicious, but it gives an agent broad, persistent authority to rewrite its own behavior and write related logs beyond the clearly advertised core files.

Install only if you want an agent to help maintain its own configuration. Require explicit approval before edits to AGENTS.md, SOUL.md, TOOLS.md, MEMORY.md, HEARTBEAT.md, BOOTSTRAP.md, daily memory files, or decision/failure logs, and periodically inspect those logs for sensitive or unwanted persisted instructions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill metadata says it is for modifying core context files, but the protocol expands scope to additional files like dated memory logs and BOOTSTRAP.md. This creates a scope-creep risk where an agent following the skill may write to files outside the user’s expected configuration surface, increasing the chance of unintended persistence or policy changes in less scrutinized locations.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The protocol instructs the agent to write significant changes to external decision logs under a separate path, which is outside the advertised core context files. That enables indirect persistence of instructions, sensitive operational context, or user data into auxiliary files that may not be covered by the same review, retention, or access expectations.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The failure-handling workflow tells the agent to write to a separate learnings log outside the declared context-file scope. Even though framed as documentation, this creates another unbounded persistence channel where operational details or sensitive failures can accumulate beyond the files the user intended this skill to touch.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The manifest description is extremely broad and designed to trigger on almost any request involving changes to agent behavior, rules, memory, personality, or procedures. Because this skill edits high-trust context files that shape future agent behavior, over-broad activation increases the chance it is invoked in ordinary conversations and used as a prompt-injection persistence mechanism or to weaken safety controls.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal