ClawHub

Ontology Clawra Backup 20260319 151919

Security checks across malware telemetry and agentic risk

Overview

This is a local ontology and reasoning skill, but its instructions are inconsistent about when it writes private reasoning records and whether it stays local-only.

Install only if you are comfortable with a reasoning skill that may persist local notes about your decisions and preferences. Keep network-backed search disabled or ask the agent to confirm before using external search, and require a preview plus explicit approval before anything is written to memory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The skill claims a strict file/data boundary limited to the local memory directory, but later operational guidance requires use of external documentation and web search services. That mismatch can cause users or agents to disclose task context, prompts, or sensitive reasoning data to external systems under the false belief that the skill is strictly local-only.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The skill makes strong privacy assurances such as strict separation from external platforms and never uploading user data, yet later mandates external search tools as part of normal workflow. This creates a misleading trust boundary: users may share sensitive material believing it stays local, while routine operation may transmit derived or raw content to third-party services.

Vague Triggers

Medium
Confidence
91% confidence
Finding
Using a broad trigger phrase like '记录这个' for ontology writes risks accidental activation during ordinary conversation. In a skill that supports persistence of user reasoning and decisions, ambiguous triggers can lead to unintended storage of sensitive or inaccurate information, creating privacy and integrity risks.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The auto-learning trigger set mixes several loosely defined events, including user confirmation, reasoning failure, and user correction, without a precise activation model. Ambiguous trigger boundaries increase the chance of unintended logging, state changes, or prompts that expose or persist sensitive user context beyond what the user expected.

Vague Triggers

Low
Confidence
84% confidence
Finding
Treating generic 'user correction' as a trigger is overly broad and can capture ordinary conversational refinement as something to log or act on. While the document says auto-write is false in some cases, the ambiguity still risks unnecessary retention of user statements and incorrect ontology updates in future implementations.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The extraction patterns are extremely broad and can classify normal text as entities, rules, or laws. In a memory-building skill, overbroad extraction can silently accumulate private, irrelevant, or false information, degrading data quality and increasing privacy risk if the stored ontology is later reused for decisions.

VirusTotal

No VirusTotal findings

View on VirusTotal