ClawHub

Skill Creator (Ming)

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does what it claims, but it includes review-worthy local automation that can stop unrelated services and encourages broad skill triggering.

Install only if you are comfortable with a skill that can create and modify skill files, run local Python helpers, call the local Claude CLI, and launch a localhost review viewer. Use a dedicated workspace, avoid putting secrets in eval prompts or outputs, prefer the static viewer mode when possible, choose an unused viewer port, and review generated skill descriptions so they do not trigger too broadly.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill instructs the agent to read and write files, execute shell commands, inspect environment context, and launch scripts, but it does not declare permissions or constrain those capabilities. That creates a least-privilege gap: if this skill is triggered unexpectedly or on untrusted input, it can perform high-impact local actions without an explicit trust boundary.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The script forcibly kills whatever process is listening on the requested port before starting its own server, without verifying ownership, provenance, or whether termination is safe. In a developer workstation or shared environment, this can disrupt unrelated services, destroy active work, or be abused to terminate security-sensitive local processes if a user runs the tool with a chosen port.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill explicitly recommends making descriptions more 'pushy' and to trigger even when users do not explicitly ask for the skill. This increases the chance of overbroad activation, causing the agent to invoke a powerful filesystem-and-shell-capable workflow for adjacent or ambiguous requests where it is unnecessary or unsafe.

Vague Triggers

Medium
Confidence
87% confidence
Finding
Telling the agent to infer where the user is in the process and 'jump in' creates an ambiguous activation boundary. In context, this skill can run evaluations, write files, spawn background jobs, and execute scripts, so ambiguity materially raises the risk of unintended actions being taken without sufficiently clear user intent.

Vague Triggers

Medium
Confidence
88% confidence
Finding
This file defines two distinct operating modes in one agent file: a post-hoc skill-comparison analyzer and a benchmark-results analyzer. Because the top-level description and instructions are broad and multiplexed, an orchestrator or triggering system may invoke this skill in unintended contexts, causing it to read the wrong inputs, produce the wrong output schema, or analyze benchmark data when improvement analysis was expected (and vice versa).

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Spreadsheet content is converted to HTML with SheetJS and then inserted with innerHTML, which can expose the page to script or markup injection if a crafted spreadsheet produces unsafe HTML. This viewer handles untrusted eval artifacts, so rendering attacker-controlled spreadsheet-derived HTML in the same DOM context is more dangerous than in a trusted-only workflow.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code sends full skill content, eval results, history, and possibly prior model outputs to an external `claude` process without any explicit user-facing consent or visibility at the point of transmission. If those inputs contain proprietary prompts, internal test data, secrets, or sensitive customer text, this creates a real confidentiality risk through unintended disclosure to an external model/service.

Session Persistence

Medium
Category
Rogue Agent
Content
4. **Launch the viewer** with both qualitative outputs and quantitative data:
   ```bash
   nohup python <skill-creator-path>/eval-viewer/generate_review.py \
     <workspace>/iteration-N \
     --skill-name "my-skill" \
     --benchmark <workspace>/iteration-N/benchmark.json \
Confidence
90% confidence
Finding
nohup

VirusTotal

39/39 vendors flagged this skill as clean.

View on VirusTotal