ClawHub

wangkang-skill

Security checks across malware telemetry and agentic risk

Overview

This is a real self-improvement logging skill, but it can persist and spread conversation-derived guidance into future agent behavior without enough safeguards.

Review before installing. Use only in trusted workspaces, avoid global hooks, narrow hook matchers, and require explicit user approval before saving raw context or promoting anything into agent instruction or memory files. Do not log secrets, credentials, personal data, proprietary snippets, or transcript contents; keep only short sanitized summaries.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The document's security section is internally inconsistent: it says the scripts only output text and do not run commands, while the hook configuration clearly invokes shell commands via the hook system. This can mislead users into underestimating execution risk, causing them to enable auto-executed hooks without appropriate review of the referenced scripts and their side effects.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The document expands a narrowly scoped self-improvement skill into updating persistent operational prompt files such as AGENTS.md, SOUL.md, and TOOLS.md. That creates a prompt-persistence channel where transient errors, adversarial user input, or injected content can be promoted into long-lived behavioral instructions affecting future sessions.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The self-improvement skill's stated purpose is to capture corrections and failures, but this integration guide also documents reading session history and sending messages across sessions. Those capabilities materially expand scope and can expose unrelated context, enabling cross-session data leakage or propagation of poisoned 'learnings' beyond the originating conversation.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The OpenClaw-specific triggers instruct the system to write observations directly into operational prompt files like TOOLS.md, AGENTS.md, and SOUL.md. Because trigger conditions are broad and can be influenced by normal interaction or malicious prompting, this creates a durable prompt-injection and behavior-modification path.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The skill's activation guidance is broad enough that normal conversation patterns could trigger logging behavior frequently. In practice this can cause unnecessary persistence of conversational content, increase noise, and raise the risk that incidental or sensitive data is captured in learning files.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The listed trigger phrases such as common corrections, requests, and error-like language lack guardrails or exclusion criteria. That makes over-collection likely, especially in long interactive sessions where users may mention hypothetical errors, preferences, or sensitive details that should not be persisted.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to log user corrections, requests, and learnings but never warns against storing secrets, personal data, or proprietary business context. Because these logs are intended for persistence and promotion into memory/context files, any captured sensitive content could be retained and propagated beyond the original conversation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The error template explicitly encourages recording inputs, parameters, environment details, and raw error output, all of which commonly contain API keys, file paths, URLs, customer data, or internal infrastructure details. In a logging skill, this is particularly dangerous because it normalizes durable storage of precisely the data most likely to be sensitive.

Vague Triggers

Low
Confidence
87% confidence
Finding
The template tells authors to include trigger conditions, but it does not require them to be specific, testable, or bounded. In an agent skill system, vague activation criteria can cause overbroad invocation, making a skill run in contexts it was not intended for and increasing the chance of unsafe automation or prompt-scope abuse.

Vague Triggers

Low
Confidence
90% confidence
Finding
The minimal template's description placeholder is so generic that authors may omit clear invocation limits entirely. That creates a reusable pattern for ambiguous skills, which can lead to unintended triggering across unrelated tasks and weakens safety controls at the design stage.

Vague Triggers

Low
Confidence
89% confidence
Finding
For script-capable skills, vague trigger descriptions are more dangerous because ambiguous activation can lead not just to bad advice but to execution of helper scripts in the wrong context. When executable components are involved, poorly bounded invocation criteria increase the risk of unintended command execution, side effects, or misuse of privileged tooling.

Vague Triggers

Medium
Confidence
93% confidence
Finding
Using an empty matcher makes the UserPromptSubmit hook fire for every prompt, creating broad automatic execution on all interactions. In a self-improvement skill, that increases exposure to prompt-triggered behavior, unnecessary data capture, and repeated execution of local scripts without meaningful scoping.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The user-level configuration enables the hook globally across sessions, which magnifies the blast radius of any bug, unsafe behavior, or future change in the referenced scripts. Because activation is broad and persistent, it can affect unrelated projects and contexts where automatic learning capture is inappropriate or sensitive.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger conditions include common events such as user corrections, command failures, API errors, and knowledge gaps, which are routine in normal operation. Ambiguous activation makes it easy for an attacker to deliberately trigger the skill and influence what gets recorded or persisted, especially when combined with auto-promotion workflows.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal