ClawHub

Zen Master

Security checks across malware telemetry and agentic risk

Overview

This is a coherent local Zen persona skill, but users should know its installer can overwrite agent behavior files and its wellbeing advice is not professional mental-health support.

Install this only into a test or backed-up agent workspace unless you intentionally want that agent's identity, memory, and tool guidance replaced. Review the generated markdown files before relying on the agent, and do not use the Zen Q&A as a substitute for licensed mental-health care or emergency support.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The installer does more than add a knowledge base: it unconditionally creates or overwrites IDENTITY.md, SOUL.md, TOOLS.md, and MEMORY.md in the target agent directory. This can silently replace an existing agent's operational persona and behavioral constraints, causing integrity loss and potentially changing how the agent responds in security- or policy-sensitive contexts.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This entry gives mental-health style coping guidance for anxiety in a generalized, authoritative tone but provides no boundary that it is not a substitute for professional help and no escalation path for severe distress. In an agent skill, users may present significant anxiety, panic, or crisis symptoms, and purely contemplative advice can delay appropriate care or be inadequate for high-risk situations.

Missing User Warnings

High
Confidence
98% confidence
Finding
The response addresses existential suffering and says life does not need meaning, but it does so without any check for suicidality, crisis warning, or recommendation to seek urgent support. For a distressed user, especially one expressing that life feels meaningless and painful, this can be unsafe because it may fail to recognize acute risk and may discourage timely intervention.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal