ClawHub

Learning Coordinator

Security checks across malware telemetry and agentic risk

Overview

The skill is a narrow self-improving memory coordinator with disclosed local file use, but users should understand its automatic learning and local adapter behavior before enabling it.

Install only if you want a local memory-learning coordinator that reads and may create ~/self-improving/learning.md. Review that file, disable auto_create if unexpected writes are not acceptable, and use the skill only with trusted correction/preference adapters because it imports local adapter code from the OpenClaw integration path.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill documentation indicates file read/write behavior and automatic creation of a rules file, but the metadata declares no permissions. This creates a transparency and consent problem: a host may treat the skill as low-risk while it can still access and modify local files under the user's home directory.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The documented purpose understates materially relevant behaviors: local file creation, compatibility search over rule contents, CLI exposure, external adapter loading, and possible use of hardcoded/example data. This mismatch is dangerous because operators may grant trust or deploy the skill for coordination only, while it also performs filesystem interaction and dynamic integration behaviors that expand the attack surface.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The coordinator writes to a local rules file under the user's home directory and may create directories/files automatically as a side effect of initialization. In an agent skill context, silent filesystem writes expand the trust boundary, create persistence, and can overwrite or plant state without explicit user approval.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code prepends directories to sys.path and later imports modules from a fixed integration path, which enables execution of whatever Python module is present there. In a multi-component agent environment, this is a code-loading primitive that can be abused through path planting, module shadowing, or compromised integration directories.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The configuration documents auto_create: true and references a writable path, but does not prominently warn that the skill may write files to disk. Hidden or non-prominent write behavior can lead to unintended modification of local state, especially in automated environments where users assume configuration is read-only.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The troubleshooting section confirms that the plugin will create a minimal rules file if missing, but presents this as a convenience rather than a security-relevant side effect. Unannounced file creation can be abused to plant unexpected files, alter application behavior, or violate operator expectations in restricted environments.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill auto-creates and writes a learning rules file in the user's home directory without warning or confirmation. In agent environments this kind of silent persistence is risky because it can leave durable state, surprise users, and be combined with path manipulation or symlink abuse to write in unintended locations.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal