ClawHub

Fasterizy

Security checks across malware telemetry and agentic risk

Overview

This style skill is not clearly malicious, but its installer persistently changes local agent configurations and hook/plugin behavior beyond what a terse-answer skill summary suggests.

Install only if you want a persistent multi-agent integration, not just shorter answers. Prefer using the plain SKILL.md manually if that is enough. If you run the CLI, review selected agents and expect writes under Claude/Codex/Cursor/Windsurf configuration paths, possible GitHub fetches, copied hook scripts, and plugin/settings changes. Know how to run fasterizy stop, uninstall hooks/plugins, and inspect backups before relying on it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (21)

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The declared behavior is a harmless response-style formatter, but the analyzed behavior summary indicates installation, filesystem modification, plugin registration, subprocess execution, and repository cloning across multiple agent environments. A skill that presents itself as formatting guidance while changing local configs and installing components is dangerous because users and policy systems may grant trust based on the benign description.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The CLI exposes operational capabilities such as install, update, plugin promotion, and hook removal that materially exceed the skill's declared purpose of producing terser prose. In a skill context, this broadens the trust boundary and enables filesystem and agent-environment modification, increasing the chance of unauthorized persistence or configuration tampering if invoked by a user or downstream automation.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
A GitHub-based self-update path is unrelated to the stated conversational formatting role and introduces a supply-chain and remote-code change surface into an otherwise low-risk skill. Even without code shown here, exposing update functionality from a skill-oriented CLI can normalize fetching and applying unreviewed changes that alter agent behavior or local configuration.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The code manages Claude Code plugin installation, hook installation/removal, and settings changes despite the skill being described as a prose-formatting aid. In this context, modifying plugin and hook paths is more dangerous because hooks/plugins can affect future agent execution and create persistence or stealthy behavior changes beyond the user's immediate request.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This installer persistently modifies Claude configuration, marketplace metadata, installed plugin state, and enabled plugin settings in order to force-install and activate the plugin. For a skill whose stated purpose is only answer-formatting/prose behavior, this is an unjustified expansion of capability and creates persistence the user may not expect.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The code performs a network git clone and manipulates Claude's internal marketplace records to source and register the plugin outside normal user-driven install flow. That behavior is risky because it imports remote code and alters trust/configuration boundaries for a skill that only claims to change response style.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The script deletes files in the user's Claude hooks directory based on loose filename/content matching for 'fasterizy' and related names. Removing hook files is a destructive action unrelated to a prose-formatting skill and can disable user customizations or security-relevant automation without meaningful validation or consent.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The installer materially alters multiple agent environments by installing plugins, patching settings, adding hooks, and deleting legacy hook files, while the skill is described as a prose/verbosity aid. That mismatch is dangerous because users may grant trust appropriate for a harmless formatting skill, not for software that persists across tools and modifies configuration state on disk.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code invokes external package-management commands via spawnSync to run `npx skills add ...`, which can install or execute code outside the local package boundary. For a skill whose stated purpose is only to change response style, subprocess-driven installation expands the trust boundary and creates unnecessary execution and supply-chain risk.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
This code installs native plugins/hooks, patches settings files, registers marketplaces, and removes old hook files across Claude Code and Codex. In the context of a simple answer-formatting skill, these persistent privileged modifications are more dangerous because they create durable execution points and broaden control over future agent sessions beyond what a user would reasonably expect.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The update command invokes `npx skills add` against a GitHub-backed repository slug, which causes code/package retrieval and installation behavior outside the skill's advertised prose-formatting purpose. This creates a supply-chain and unexpected-capability risk: users invoking a seemingly harmless formatting skill may trigger remote code or content updates from `main`, increasing exposure to tampering or compromise of the upstream source.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The file uses `spawnSync` to execute package-management operations (`npx skills add ...`) from within the skill tooling, giving the package subprocess execution capability unrelated to its stated answer-formatting role. In this context, the mismatch between declared function and actual behavior makes the capability more dangerous because users and reviewers may not expect remote install/update side effects from a prose-formatting skill.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill persists state in the agent's configuration directory by creating a '.fasterizy-active' flag file, even though the stated purpose is only to alter response style. This creates hidden cross-session behavior and writes into a sensitive user-controlled config area, which is a capability mismatch that can surprise users and weaken trust boundaries even if the file contents are minimal.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code reads configuration-related environment variables and performs create/delete operations in agent config directories, capabilities broader than what is justified by a simple response-formatting skill. Even though it includes some symlink checks, it still modifies persistent user state without clear necessity, which increases risk of unintended configuration tampering or stealthy behavior if the skill is installed in a trusted workflow.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The installer copies executable hook files into the user's agent configuration directory and edits the user's settings to invoke them automatically, but this code path provides no visible confirmation, warning, or consent gate. Because hooks execute on session start and prompt submission, a user can end up running package-provided code from a trusted config location without a clear prompt at install time, which is a meaningful security transparency and consent failure.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This function silently enables Codex hook support by creating or appending to config.toml, thereby changing runtime behavior beyond simple package installation. Enabling a hook subsystem without explicit user acknowledgment lowers the barrier for automatic execution of installed hook scripts and can surprise users who did not intend to permit config-driven command execution.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The install path can be force-removed and hook cleanup is performed during installation without any visible confirmation or warning in this code path. Silent destructive changes increase the chance of accidental data loss, state corruption, and unauthorized persistence, especially since the plugin is also enabled automatically.

Missing User Warnings

Low
Confidence
81% confidence
Finding
The code may clone from GitHub as part of installation without explicit disclosure in the execution path, causing an unexpected outbound network action and remote code retrieval. While less severe than the destructive local modifications, it still weakens transparency and trust for a formatting-oriented skill.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The file silently creates and deletes a persistent flag file with no user-facing disclosure in this code path. Silent state changes are dangerous because they can alter future agent behavior without the user's awareness, making troubleshooting and consent difficult even if the specific action is limited.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill is configured with `openclaw.always: true` and a description that says to use it whenever the user asks for terser or faster answers, even without the explicit skill name. That broad, implicit activation can override user intent and silently alter response style across ordinary requests, which is a prompt-scope control issue rather than a content bug.

Tool Parameter Abuse

High
Category
Tool Misuse
Content
> **Warning:** This removes all contents of the target directory with no undo. Confirm host and path before running.
> ```bash
> rm -rf /srv/app/uploads/*
> ```
> After the user confirms they are on the right machine and have a backup if needed, continue in fasterizy style for what comes next.
Confidence
92% confidence
Finding
rm -rf /srv/app/uploads/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal