ClawHub

Ontology Clawra

Security checks across malware telemetry and agentic risk

Overview

This is a real ontology and memory skill, but it asks for broad persistent memory, global prompt-layer influence, and automatic push/publish powers that need manual review before installation.

Install only if you are prepared to audit and constrain it. Disable or remove auto_enhancer.py unless you explicitly want automatic git pushes and ClawHub publishing, do not allow SOUL.md changes without review, and keep personal memories, secrets, and identifying details out of any memory files or repositories this skill can read, back up, or publish.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (27)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"""提交并推送到 GitHub"""
    try:
        # 添加所有更改
        subprocess.run(["git", "add", "."], cwd=SKILL_DIR, check=True)

        # 检查是否有更改
        result = subprocess.run(
Confidence
92% confidence
Finding
subprocess.run(["git", "add", "."], cwd=SKILL_DIR, check=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# 提交
        commit_msg = f"feat: ontology-clawra v{new_version} - 自动增强"
        subprocess.run(
            ["git", "commit", "-m", commit_msg],
            cwd=SKILL_DIR,
            check=True
Confidence
90% confidence
Finding
subprocess.run( ["git", "commit", "-m", commit_msg], cwd=SKILL_DIR, check=True )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print(f"✅ Git 提交: {commit_msg}")

        # 推送到远程
        subprocess.run(
            ["git", "push", "origin", "main"],
            cwd=SKILL_DIR,
            check=True
Confidence
97% confidence
Finding
subprocess.run( ["git", "push", "origin", "main"], cwd=SKILL_DIR, check=True )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"""发布到 ClawHub"""
    try:
        # 使用 clawhub CLI 发布
        result = subprocess.run(
            ["clawhub", "publish", CLAWHUB_SLUG],
            cwd=SKILL_DIR,
            capture_output=True,
Confidence
93% confidence
Finding
result = subprocess.run( ["clawhub", "publish", CLAWHUB_SLUG], cwd=SKILL_DIR, capture_output=True, text=True )

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill documents effective capabilities for local file read/write and shell execution, yet it does not declare permissions or bound those operations. This creates a transparency and control failure: users and the host agent may treat it as a reasoning-only skill while it can mutate local state and invoke external commands.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The declared purpose is an ontology/reasoning engine, but the documented behavior expands into self-modification, repository operations, remote publishing, workspace scanning, and persistent recordkeeping. That mismatch is dangerous because it conceals materially broader powers than users would reasonably expect from the description.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
An ontology skill has no clear justification to automatically upgrade itself, commit changes, push to GitHub, and publish to ClawHub. Combining reasoning logic with autonomous supply-chain actions creates a high-risk path for unintended code release, data leakage, and persistence of harmful changes.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill is documented to use locally cached Git and ClawHub credentials to publish content remotely. Access to ambient credentials plus autonomous publishing creates a direct exfiltration and supply-chain risk, especially because memory files and user data are also discussed elsewhere in the skill.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The document instructs placing trigger logic into SOUL.md so it executes unconditionally every session, elevating this skill beyond its nominal scope. That is a privilege-expansion pattern: it attempts to persist behavior at a higher-priority prompt layer rather than being invoked only when needed.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The file's behavior materially exceeds the declared purpose of a reasoning-engine skill by performing repository maintenance and release automation. This scope mismatch is dangerous because users may grant trust or execution rights expecting ontology logic, while the script can modify, commit, and publish code instead.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Executing `git` and `clawhub` developer tooling is not justified by the stated skill purpose and introduces privileged side effects unrelated to reasoning. In context, this makes the skill substantially more dangerous because an ontology skill can unexpectedly alter source control state and publish artifacts.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script rewrites `_meta.json`, `CHANGELOG.md`, `SKILL.md`, and creates ontology template files automatically. Self-modifying behavior is a real vulnerability here because it changes core skill artifacts without review, making integrity loss and persistence of bad changes more likely.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The module recursively scans a broad user workspace directory outside the skill's own storage and reports matching file paths and keywords. In an agent setting, this can expose unrelated user memory contents and metadata to the skill or downstream consumers, violating least-privilege and creating a privacy/data-exposure risk.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The changelog documents behavior that causes the skill to act on loosely defined conditions such as detecting a 'habitual problem' or the end of a 'long conversation' and then proactively injecting advice or a recap. In an agent skill, vague autonomous triggers can cause unintended invocation, surprise actions, and policy-violating outputs because the boundaries are subjective and not tied to explicit user consent or deterministic criteria.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The activation rules are broad enough to fire during ordinary conversation, causing automatic memory writes and behavioral changes without clear consent boundaries. Over-broad triggers are especially risky here because the skill persists information and influences future reasoning.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The pre-response checklist uses generic conversational patterns such as corrections, decisions, and preferences as automatic write triggers. In this context, that creates continuous background harvesting of user information and state changes on nearly every reply cycle.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The later trigger section repeats the same broad activation logic, reinforcing persistent and automatic behavior without adequate specificity. Repetition across the design increases the likelihood that an agent will apply these triggers aggressively and continuously.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The eval explicitly defines broad trigger keywords ('推理', '选型') that can activate the skill without clear domain boundaries or exclusion rules. In an agent environment, this can cause the ontology skill to fire on unrelated prompts, leading to unintended memory writes, ontology updates, or reasoning behavior outside its intended scope.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script performs automatic file modifications during analysis without prompting the user. Lack of confirmation is dangerous because merely running the tool can alter repository contents, enabling unintended state changes and making later commits/publishes more hazardous.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The workflow commits and pushes changes to remote infrastructure without explicit user confirmation. This is especially dangerous in this skill context because the same script also self-modifies files, so unreviewed local edits can be propagated to trusted remote channels in a single run.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code persists user queries, confidence metadata, sources, and details to a file under the user's home directory without any visible disclosure, consent flow, retention control, or permission hardening. In an agent skill context, these records may contain sensitive prompts, personal data, or inferred user attributes, creating privacy and local data exposure risk if the machine is shared, backed up, or later accessed by other software.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
User correction records are also written persistently without warning, and they may reveal preferences, mistakes, domain-specific facts, or sensitive feedback over time. Because this skill is a memory-oriented reasoning component, the context makes the issue more significant: it is specifically designed to accumulate longitudinal user data, increasing privacy sensitivity and the chance of unintended profiling or disclosure.

Ssd 3

Medium
Confidence
94% confidence
Finding
The skill directs persistent storage of user facts, preferences, and decisions, plus backups of user-related files. Persistent cross-session profiling is sensitive even in a private repo because it increases exposure surface, retention risk, and the chance that personal data is later published or misused.

Ssd 3

Medium
Confidence
97% confidence
Finding
This checklist tells the agent to automatically write user corrections, choices, and preferences into persistent memory during normal interaction. That is dangerous because it turns routine conversation into silent data capture and durable profiling without meaningful user review.

Ssd 4

High
Confidence
98% confidence
Finding
The document describes a two-step mechanism: inject a high-priority always-on trigger into SOUL.md, then use it to continuously capture and persist user information. This is more dangerous than ordinary memory features because it establishes durable, global surveillance-like behavior at a privileged prompt layer.

VirusTotal

No VirusTotal findings

View on VirusTotal