ClawHub

Smart Agent Template

Security checks across malware telemetry and agentic risk

Overview

This workflow skill needs review because it can auto-update itself, store conversation memory, and includes Feishu bot startup code that disables TLS security.

Review before installing. Disable automatic updates unless you trust and inspect the remote, do not run the Feishu long-connection scripts until TLS verification and SDK patching are removed, and only enable bot memory features after deciding what user data may be stored, for how long, and which AI endpoint may receive it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (50)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The template instructs the agent to persist user corrections, preferences, and similar conversational data into long-lived logs and memory files as part of normal operation. In a generic workflow template, this creates unnecessary retention of potentially sensitive user data without purpose limitation, consent, or minimization controls, increasing privacy and data-governance risk across future sessions.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The README presents the skill as a methodology/workflow aid, but also enables operational behavior through automatic remote updates at startup. That broadens trust boundaries from local guidance to executable maintenance behavior, which can introduce supply-chain risk and unreviewed changes into the agent environment.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The README expands a supposedly channel-agnostic workflow skill into deployable Telegram and Feishu bot integrations, introducing network-facing execution paths and credentialed external communications. This materially changes the risk profile because users may install what appears to be documentation/methodology content but receive components that interact with external services.

Description-Behavior Mismatch

Low
Confidence
88% confidence
Finding
The document instructs the agent to automatically persist per-conversation metrics to a log file, expanding the skill from transient workflow guidance into ongoing telemetry collection. While the stored fields are not the full conversation content, they still create durable behavioral records about user activity and task patterns without any stated minimization, retention, or consent controls.

Context-Inappropriate Capability

Low
Confidence
92% confidence
Finding
The AGENTS.md integration section operationalizes automatic logging after every conversation, which turns the telemetry into default behavior rather than an optional admin action. This increases privacy risk because task type, memory usage, correction count, and duration become systematically persisted for all interactions, enabling profiling or unintended disclosure if logs are exposed.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code disables TLS certificate verification globally via environment variables and by overriding Python's default SSL context. This allows man-in-the-middle interception of Feishu API traffic and any other HTTPS connections made by the process, exposing app credentials, access tokens, and message contents. In a bot that handles authentication and user conversations, this is especially dangerous because the compromise affects all outbound network trust decisions.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script monkey-patches the global websocket connect function to always use an unverified SSL context, which disables TLS certificate validation for all websocket connections in the process. This enables man-in-the-middle interception or impersonation of the Feishu service, exposing bot traffic, tokens, and commands; the template/workflow context does not justify this behavior and makes it especially risky as a reusable starter component.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The comments and docstring describe the change as an SSL 'fix' for local proxy certificates, but the implementation fully disables certificate verification rather than safely handling trust configuration. That framing can mislead operators into deploying insecure code in production, increasing the chance that the high-risk TLS bypass remains unnoticed.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The script deliberately patches the Feishu SDK to disable TLS certificate verification by injecting ssl._create_unverified_context() into the websocket connection. This makes the bot trust invalid or attacker-controlled certificates, enabling man-in-the-middle interception of bot traffic and secrets; for a workflow template, this capability is unjustified and materially increases risk.

Context-Inappropriate Capability

Critical
Confidence
100% confidence
Finding
The script modifies installed third-party library source code so that websocket connections use an unverified SSL context, permanently weakening transport security for that SDK in the environment. Because this affects authentication and message transport to Feishu, an attacker positioned on the network could intercept or tamper with traffic, potentially compromising bot credentials, messages, and downstream actions.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The Claude adapter allows a caller-supplied base_url, which means full prompts, conversation history, and long-term memory can be sent to any arbitrary endpoint rather than only to Anthropic. In a Telegram integration, that materially increases the risk of silent exfiltration of sensitive user content if configuration is changed to a malicious or untrusted proxy.

Context-Inappropriate Capability

Low
Confidence
95% confidence
Finding
The startup code reads sensitive configuration and prints part of the Telegram bot token plus the full admin chat ID to stdout. Even partial secret disclosure and identifier exposure can leak into logs, container output, or centralized monitoring systems, increasing the risk of credential targeting and operational reconnaissance.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
This workflow-template document authorizes broad TAPD and Confluence access even though the skill is described as a general process template, not an integration-specific operational playbook. That expands the agent’s effective authority to query or publish in external systems, increasing the risk of unnecessary data exposure, unintended writes, or abuse if the template is reused in other contexts.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Including browser automation as a generally available installed skill exceeds the stated scope of a workflow/process template and introduces a powerful capability unrelated to core coordination. Browser automation can interact with authenticated web sessions and external sites, which materially increases the risk of data exfiltration, unintended transactions, or unsafe automation if invoked by loosely scoped tasks.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The protocol instructs users to push skill changes to a remote GitLab repository after modification, which grants the template an external write path beyond simple workflow guidance. In a skill context, that is dangerous because it can propagate harmful or unreviewed changes outside the local environment and turn a local prompt or process compromise into persistent supply-chain impact.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
This script implements remote self-update of the local project by fetching from a configured Git remote and pulling code into the repository at startup. In the context of a workflow/template skill, that behavior materially exceeds the stated purpose and creates a supply-chain risk: whoever controls the configured remote or branch can change local code without an explicit trust or review step.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Network-based code update is not clearly necessary for a smart-agent workflow template, so its presence increases risk without clear functional justification. Even if intended for convenience, fetching and integrating remote code on startup broadens the attack surface and can introduce unreviewed behavior changes through configuration or remote compromise.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The startup flow mandates an automatic update check via a shell script by default before other work, with no user-facing notice, confirmation, or trust constraints. This creates a supply-chain and unintended-execution risk because the agent may run code or networked update logic automatically in contexts where users did not authorize side effects.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The guide instructs implementers to persist user memory in a local ChromaDB store and describes it as suitable for large-scale, multi-user memory, but it provides no guidance on consent, retention limits, access controls, encryption, or deletion policy. In an agent skill context, "memory" is likely to contain sensitive personal or conversational data, so normalizing indefinite local storage without safeguards creates a real privacy and compliance risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The `clear` flow deletes all records for a user with no warning, confirmation pattern, audit note, or backup guidance. While not an exploit by itself, documenting destructive deletion as a routine operation without safeguards increases the chance of accidental or unauthorized data loss in production integrations.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The migration and export examples directly read and write memory files containing user data but omit any warning about sensitive-data handling, secure file permissions, redaction, or destination security. In this skill's context, these examples encourage bulk movement of accumulated user memory, which amplifies exposure risk if the files are copied, committed, shared, or stored insecurely.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The quickstart explicitly demonstrates storing user messages and profile-like personal data (for example, a person's name, profession, and programming skills) in a persistent memory backend, but it provides no warning about privacy, consent, retention, deletion, or access controls. In a real bot deployment, this can lead operators to collect and retain personal data indefinitely without informing users, increasing privacy, compliance, and data-leak risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Describing automatic remote updates on startup without strong warning or consent is dangerous because it permits remote repository changes to alter agent behavior transparently. In an agent skill context, startup execution and update behavior can affect every subsequent session, making compromise or accidental breakage more impactful.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly describes automatic update behavior, including startup checks and silent update support, without warning users about network access or the possibility of code changing automatically. Silent or implicit updates can introduce supply-chain risk, unexpected behavior changes, and execution of newly fetched code without informed approval.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document describes automatically loading, updating, and exposing user memory via commands like /memory, but it does not warn users that their conversation data is being retained, surfaced back, and potentially reused across sessions. This creates a real privacy and consent issue because sensitive personal data may be stored or revealed without clear notice, user controls, retention policy, or minimization guidance.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal