ClawHub

Capability Evolver

Security checks across malware telemetry and agentic risk

Overview

This self-evolution skill is not clearly malicious, but it can run persistently and change agent code or memory with weak default review controls and conflicting documentation.

Install only in a sandbox or disposable branch with backups. Do not run the default automated or loop modes in production; use review or dry-run behavior, inspect the missing src implementation before trusting it, restrict memory/history paths, disable dynamic local-skill and external asset ingestion unless explicitly needed, and use least-privilege short-lived tokens for release workflows.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The README minimizes the tool as 'only generating prompts/guidance' while elsewhere documenting continuous looping, lifecycle management, health checks, and auto-restart behavior. This mismatch can cause operators or downstream agents to grant the skill more trust than warranted and deploy it in environments where autonomous behavior is unsafe or prohibited.

Intent-Code Divergence

Low
Confidence
81% confidence
Finding
The documented dynamic detection of local skills means behavior can expand based on ambient workspace contents, which contradicts or at least weakens the claimed environment-agnostic and bounded execution model. In agent systems, undocumented capability discovery is dangerous because a colocated skill can silently alter outputs, data flows, or tool usage without explicit operator approval.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README states that the skill can analyze logs, write code patches, and run continuously in the background, but the primary usage section does not prominently warn users that it may modify source files and other workspace artifacts. For a self-modifying agent skill, this omission increases the chance of unsafe deployment, accidental code changes, or unattended execution in sensitive repositories.

Missing User Warnings

Low
Confidence
81% confidence
Finding
The public release section instructs users to provide GitHub token environment variables but does not warn about token scope minimization, storage hygiene, or exposure through logs, shell history, or CI output. This is a real but lower-severity documentation security issue because it can contribute to credential mishandling in operational use.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill advertises autonomous self-modification and immediate application of changes in default automated mode, with review presented as optional rather than required. In the context of an agent skill, this is dangerous because it normalizes unreviewed code and memory changes derived from runtime history, which can amplify prompt injection, poisoned logs, or simple misdiagnosis into persistent system compromise or destructive changes.

Ssd 1

Medium
Confidence
92% confidence
Finding
The identity framing and mutation directive push the agent toward constant self-improvement behavior, including 'Forced Optimization' when no errors are found. This is risky because role-based steering can weaken normal caution boundaries and cause unnecessary code changes, especially in a self-modifying skill that already has authority to inspect history and propose or apply mutations.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal