ClawHub

Learning Loop

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed local memory system, but it broadly and durably stores user/session content with weak consent, redaction, and retention controls.

Install only if you intentionally want a persistent local memory layer. Before enabling per-message capture, cron automation, compaction flushing, or cross-agent exports, set clear rules for what must never be logged, review memory/learning regularly, and avoid storing secrets, credentials, personal data, or confidential work context.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (19)

Vague Triggers

Medium
Confidence
84% confidence
Finding
The activation guidance is broad and aspirational, encouraging use in many normal agent situations without tight scope limits or sensitivity checks. In practice, this can cause the skill to run too often and collect/store information from routine interactions that did not warrant persistent retention.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The 'Use when' section defines triggers such as feedback, risky actions, weekly maintenance, compaction, and sharing knowledge in very broad terms. Because these conditions occur frequently in normal operation, the skill may be over-invoked and continually append session-derived content into persistent memory.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The script exports the full rule set plus metadata such as agent handle and source workspace path without any explicit consent prompt, redaction warning, or minimization beyond selected fields. In this skill context, cross-agent sharing is an intended feature, which makes disclosure of learned rules plausible and increases the chance of unintentionally exposing sensitive internal instructions, filesystem layout, or operational metadata to logs, pipes, or recipients.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script automatically persists detected feedback events to events.jsonl without any runtime notice, consent gate, or redaction step. Because the detector operates on arbitrary user messages and stores message content slices, it can silently retain sensitive or private information that users did not expect to be logged.

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
The file explicitly targets detection of human feedback using English-language phrases and says to customize for a specific human's language, but it does not document user consent, locale selection, or fallback behavior for other languages. In a persistent learning/memory skill, this can systematically misclassify sentiment and corrections for non-English or multilingual users, causing inaccurate memory capture and potentially harmful downstream behavior changes.

Natural-Language Policy Violations

Medium
Confidence
88% confidence
Finding
The notes section reinforces copying language-specific heuristics from other sources and customizing them for 'your human' without describing boundaries, consent, or validation. In the context of a self-improvement system that persists lessons across sessions, this increases the chance of silently encoding biased or incorrect assumptions about a user's speech patterns into long-term behavior.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The changelog instructs the agent to scan EVERY message for broad WAL triggers such as corrections, preferences, decisions, and specific values. That scope is overly expansive and can cause unintended persistence of ordinary user content, increasing the chance that sensitive or irrelevant data is written to disk without meaningful user awareness or necessity.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The file describes writing message-derived content to a persistent log before responding, but provides no user-facing warning, consent mechanism, or disclosure that the content may survive compaction. This creates a transparency and privacy risk because users may reasonably expect transient conversation handling, not durable storage of extracted details.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The description defines many broad situations for invoking the skill, including routine debugging, feedback handling, risky actions, weekly reviews, and persistent memory setup, without clear boundaries or safety gates. In a self-improvement and cross-session memory skill, this ambiguity can cause over-invocation and unnecessary influence over agent behavior, increasing the chance that untrusted or low-quality inputs get persisted and promoted into future decision-making.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script appends arbitrary caller-supplied content directly into a persistent SESSION-STATE.md file with no consent, review step, or content restrictions. In the context of a self-improvement and memory skill, this creates a prompt-injection persistence channel: malicious or misleading user input can be stored as durable agent memory and later influence future behavior long after the original interaction.

Ssd 3

Medium
Confidence
93% confidence
Finding
The architecture explicitly promotes capturing debugging sessions, mistakes, successes, and human feedback as durable artifacts, which are often rich in natural-language secrets, personal data, proprietary code context, or business details. Persisting and mining that material creates a direct leakage and retention risk, especially because the system is designed to survive compaction and be reused later.

Ssd 3

Medium
Confidence
94% confidence
Finding
Append-only event logging combined with periodic extraction encourages indefinite accumulation of detailed session records and feedback. This increases blast radius if the workspace is exposed and makes accidental retention of sensitive data more likely over time.

Ssd 3

Medium
Confidence
94% confidence
Finding
The boot wiring instructs the agent to repeatedly read and append to persistent learning files every session, normalizing continuous capture of interaction-derived content. This makes the behavior more dangerous because it bakes retention into the agent's default lifecycle rather than limiting it to rare, explicit events.

Ssd 3

Medium
Confidence
95% confidence
Finding
The compaction guidance explicitly instructs preservation of uncaptured session material before context is dropped, defeating a natural privacy boundary where transient context would otherwise disappear. This can preserve sensitive information precisely at the moment it was expected to be forgotten, increasing privacy and compliance risk.

Ssd 3

Medium
Confidence
91% confidence
Finding
Cross-agent export/import creates a channel for rules derived from prior sessions to propagate to other agents, potentially carrying embedded sensitive context, customer-specific procedures, or prompt-derived instructions. The trust scoring and hashing described do not solve confidentiality; they only address integrity/provenance aspects.

Ssd 3

Medium
Confidence
97% confidence
Finding
The event object stores substantial portions of the original message in fields like solution and greg_feedback, preserving up to 200–300 characters of user input in a durable log. If users include credentials, API keys, personal data, or proprietary information in feedback, the script will persist that data to disk, creating a sensitive-data retention and leakage risk.

Ssd 3

Medium
Confidence
89% confidence
Finding
The generated rule instructs agents to broadly persist 'important' human-provided information before continuing, with no data-minimization, sensitivity filtering, or consent boundary. In an agent setting, this can cause secrets, personal data, or sensitive conversation content to be written to durable workspace files and later exposed through logs, backups, sharing, or subsequent tool use.

Ssd 3

Medium
Confidence
92% confidence
Finding
These repeated rules normalize persistent logging of debugging findings and mistakes to local files without any restrictions on sensitive content. In this skill context, the memory system is designed to survive compaction and be reused later, which increases the chance of overcollection, retention of confidential prompts or outputs, and unintended disclosure across sessions or agents.

Ssd 3

High
Confidence
97% confidence
Finding
The WAL protocol directs the agent to capture broad categories of user-provided details into persistent storage before responding, and the examples explicitly include sensitive data such as 'API key expires March 13, 2027.' In the context of a self-improvement and persistent memory skill, this is especially dangerous because it normalizes durable storage of potentially sensitive facts across sessions, expanding privacy, security, and compliance exposure.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal