ClawHub

Self Improvement (done properly)

Security checks across malware telemetry and agentic risk

Overview

This skill transparently creates workspace memory notes for reusable lessons, with no evidence of exfiltration or hidden destructive behavior, but users should review what gets persisted.

Install this only if you want durable workspace-level memory. Keep `.learnings/` out of commits if it may contain sensitive details, review entries before promoting them into `AGENTS.md`, `CLAUDE.md`, or similar instruction files, and use the optional hooks only if you want recurring reminders in future sessions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill clearly instructs the agent to read and write files in the workspace via `scripts/learnings.py` and related helpers, yet no explicit permission declaration is present in the metadata. That mismatch can defeat policy gating or user expectations, because a reviewer may treat the skill as documentation-only while it actually persists data and modifies project memory files.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
When --force is used, the script recursively deletes all files and directories beneath the target skill path before recreating the scaffold, without validating ownership or expected scaffold contents. If the target directory contains unrelated or manually added files, a user can unintentionally destroy data inside the workspace, making this a destructive overwrite issue rather than simple scaffolding.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill directs the agent to initialize and write persistent files in the workspace root, but it does not require notifying the user before those modifications occur. Silent project-file mutation is risky because it can change repository state, create commits with unintended content, or store sensitive operational notes without the user's awareness.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The rule 'Do not interrupt the user with bookkeeping. Log silently' explicitly normalizes background persistent logging without transparency. In context, this is more dangerous than ordinary automation guidance because the skill is designed to retain corrections, failures, and workflow details for future sessions, making covert data capture and unexpected file changes a core behavior.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger set uses broad phrases like 'remember that for future tasks', 'capture the lesson', and 'check whether we already logged any learnings' without stronger guardrails on scope, storage target, or when the skill must not activate. In a self-improvement skill, this can cause unintended activation on ordinary debugging, planning, or repo-maintenance prompts, leading the agent to create or consult durable memory when the user may not have intended that behavior.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The --force flag enables destructive recursive deletion with little user-facing warning beyond the option name, increasing the likelihood of accidental data loss. In a self-improvement skill context, users may expect safe lesson capture rather than removal of existing content, so the mismatch between intent and behavior makes the operation more dangerous from an operational safety perspective.

Ssd 3

Medium
Confidence
93% confidence
Finding
The skill's stated purpose is to capture debugging details, user corrections, missing capabilities, and workflow friction into durable memory. That creates a real data-retention risk because those entries may include secrets, internal paths, incident details, or personal/workflow context in plain language, and the document does not impose redaction, minimization, or consent checks.

Ssd 3

Medium
Confidence
98% confidence
Finding
The instruction to log silently combines persistence with lack of transparency, which materially increases privacy risk. Because the logged content is specifically derived from user corrections and operational context, the skill could retain sensitive information indefinitely in workspace files that may later be committed, shared, or resurfaced to other agents.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal