ClawHub
Back to skill

Security audit

Distill Skill Builder

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a skill-building guide, but it includes persistent cross-agent deployment steps and advice to modify its evaluator, so users should review it before installing.

Install only if you want an opinionated skill-building workflow that may guide agents to crawl websites, edit a local evaluator, and copy skills into multiple assistant directories. Review and remove the evaluator-patching, broad trigger, anti-bot, and cross-environment sync instructions if you want a lower-risk version.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill explicitly instructs users to patch a centralized evaluator script used for assessing other skills. That broadens scope from local content distillation into modification of shared trust and scoring infrastructure, which could be abused to bias evaluations, hide weak skills, or normalize tampering with security-relevant tooling.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill directs copying artifacts into multiple local agent skill stores across Claude, OpenClaw, and Hermes. This creates cross-environment propagation behavior outside the narrow purpose of building a skill, increasing the blast radius of mistakes or malicious content and making persistence across agent ecosystems easier.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The guide includes sample code that spawns a subprocess and then kills it based on heuristic progress checks. For a documentation-distillation skill, process management is not necessary to fulfill the stated purpose and creates a dangerous precedent for terminating local processes, which could be repurposed to disrupt user workloads or hide long-running activity.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The document recommends inspecting and modifying low-level network and OS configuration, including `/etc/resolv.conf` checks and a Windows `netsh interface portproxy reset` command. Those actions exceed the scope of a knowledge-distillation skill and could disrupt system networking or normalize privileged host reconfiguration prompted by the skill.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The anti-bot section advises techniques such as adding delays, spoofing a browser User-Agent, setting a Google Referer, and maintaining cookies via sessions to bypass scraping defenses. In a doc-distillation skill, this crosses from normal retrieval into evasion guidance and increases the risk of unauthorized scraping or policy circumvention against third-party sites.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
This guide explicitly instructs users to modify the evaluator logic so the skill can score better, including changing what counts as an official source and where metadata is read from. That crosses from legitimate content improvement into manipulation of the security/review pipeline, because it teaches how to alter the judge instead of the artifact being judged.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases are very broad and overlap with ordinary requests about creating, improving, evaluating, or syncing skills. Overbroad activation increases the chance this skill is invoked in contexts the user did not intend, which can inject its operational guidance, deployment steps, and evaluator-modification advice into unrelated workflows.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The guidance explicitly recommends trigger coverage for broad everyday phrases such as examples like '这段代码', which can cause the skill to activate outside its intended domain. In an agent routing context, overly broad triggers can hijack unrelated user requests, increase accidental invocation, and expose downstream tooling or instructions more often than necessary.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal