ClawHub

Ai Capsule

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed AI-news ranking tool that fetches public sources and stores local reports, with a few hardening issues users should understand.

Install only if you are comfortable with the agent fetching configured public news sources and keeping a persistent local profile and article history. Prefer an explicit phrase like 'ai-capsule daily' when invoking it, avoid pasting confidential articles, and be careful with scripts/add-source.sh until its --industry path validation is tightened.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script constructs the destination path as "$SKILL_DIR/sources/${INDUSTRY}.yaml" using untrusted input from --industry without constraining it to a safe filename pattern or canonicalizing and verifying it stays under the sources directory. An attacker can supply path traversal sequences such as '../../../tmp/pwn' and cause the script to append attacker-controlled YAML content to arbitrary writable files outside the intended directory.

Vague Triggers

Medium
Confidence
91% confidence
Finding
Using the single-word trigger "daily" is overly broad and likely to collide with ordinary user conversation, causing unintended skill activation. In an agent environment, accidental invocation can lead to network fetches, ranking actions, and writes to local state without the user clearly intending to run this skill.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The README says that pasting any URL or article text will cause the skill to score that content, but it does not define limits on content type, trust level, or handling boundaries. This broad invocation surface increases the chance that the skill processes untrusted or sensitive pasted material and may trigger unsafe downstream fetch or parsing behavior in the agent runtime.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The README discloses that configuration and history are stored under ~/.ai-capsule/, but it does not prominently warn users that their profile, preferences, and article history will persist locally. This can create privacy surprises, especially on shared systems or in environments where users expect ephemeral agent interactions.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Using a very broad trigger like 'daily' creates a prompt/skill invocation collision risk during ordinary conversation. In an agent environment, that can cause the skill to run unexpectedly, leading to unsolicited network fetches, file reads, config initialization, or writes based on casual user phrasing.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The mode detection logic matches 'daily' and related keywords without clear boundaries or exclusion rules, so benign text can accidentally trigger daily mode. Because daily mode leads to reading additional instruction files and performing external retrieval, ambiguous activation increases the chance of unintentional side effects and data processing.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill explicitly instructs the agent to create or append a daily report, append to history and dedup tracking files, and delete pending.json, but it provides no explicit safety boundary, confirmation requirement, or backup/rollback guidance. In an agent setting, these are real state-changing filesystem operations on user data, so a mistake in path resolution or repeated execution could cause unintended data loss, duplication, or corruption.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal