ClawHub

wangkang-skill

Security checks across malware telemetry and agentic risk

Overview

This skill is not malicious, but it should be reviewed carefully because it encourages persistent memory, broad automatic reminders, and cross-session sharing without strong privacy guardrails.

Install only if you intentionally want persistent self-improvement memory. Prefer project-local hooks over global hooks, avoid empty matchers when possible, review scripts before enabling them, and do not store secrets, tokens, personal data, customer data, private prompts, or raw sensitive command output in learning files or promoted agent instruction files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The document's security section materially misstates behavior by claiming the scripts only output text and do not run commands, while the setup clearly installs them as command hooks and also documents executing an extract script directly. This can mislead users into granting trust or permissions under false assumptions, increasing the risk of unintended code execution or unsafe deployment of the hooks.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrases are extremely broad and overlap with ordinary user conversation, which can cause the agent to log routine dialogue as durable records without meaningful consent or scoping. In the context of a persistence-oriented skill, this materially increases the chance of capturing sensitive or irrelevant user content and propagating it into long-lived memory files.

Vague Triggers

Medium
Confidence
88% confidence
Finding
An empty matcher causes the UserPromptSubmit hook to run on every prompt, creating an unconditional trigger surface for a command hook. Because hook scripts execute automatically and may process untrusted prompt content or environment data, broad activation increases exposure, noise, and the chance that the mechanism is abused or causes unintended side effects.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The user-level configuration applies the empty matcher globally, so the hook will activate for all prompts across projects and contexts. That broadens the blast radius from a single repository to the whole user environment, making mistakes in the hook script or prompt-handling logic more dangerous.

Vague Triggers

Medium
Confidence
87% confidence
Finding
Although labeled minimal setup, this configuration still uses an empty matcher and therefore remains unconditionally active for every prompt. Reducing the number of hooks lowers overhead, but does not address the core security issue of overly broad automatic execution.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The Codex CLI example repeats the same empty-matcher pattern, making the hook run for any submitted prompt. In a cross-tool setup, duplicating insecure defaults normalizes unconditional execution and increases the likelihood of widespread unsafe adoption.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guidance encourages promoting learnings into shared workspace files and using cross-session communication without any guardrails for secrets, personal data, tokens, or proprietary context. In a memory/self-improvement skill, this materially increases the chance that sensitive information from one task or session is persisted and later exposed to other sessions, agents, or users.

Ssd 3

Medium
Confidence
91% confidence
Finding
The skill encourages extensive logging of learnings and errors and later promotion to shared memory, but it provides no concrete safeguards for secrets, personal data, or sensitive business information. Because the purpose of the skill is persistent retention and reuse, missing data-minimization controls make accidental disclosure and over-retention significantly more likely.

Ssd 3

High
Confidence
97% confidence
Finding
The inter-session tooling explicitly supports reading transcripts from other sessions and sending learnings across contexts, which creates a direct path for natural-language exfiltration of sensitive information between agent sessions. In a skill centered on recording and sharing conversation-derived material, this substantially enlarges the trust boundary and can leak data to unrelated tasks or users.

Ssd 3

High
Confidence
98% confidence
Finding
The logging templates instruct the agent to preserve full context, user context, inputs, parameters, and actual error output, all of which commonly contain secrets, identifiers, internal URLs, stack traces, and personal data. Storing such material in markdown files creates durable plaintext records that can later be copied, committed, indexed, or shared across sessions.

Ssd 3

Medium
Confidence
90% confidence
Finding
The combination of automatic logging triggers and advice to 'promote aggressively' normalizes moving conversation-derived content into long-term memory and instruction files with little friction. This increases persistence and visibility of sensitive material, making accidental retention and secondary disclosure more likely over time.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal