ClawHub

Capability Evolver 1.40.0

Security checks across malware telemetry and agentic risk

Overview

This skill is a powerful self-evolution and networked automation tool with several high-impact behaviors that are only partly disclosed or inconsistently scoped.

Install only if you intentionally want a network-connected, self-modifying evolution tool. Run it in review/offline mode first, disable auto-publish, auto-issue, auto-update, and worker mode unless needed, avoid broad GitHub tokens, and use a dedicated workspace with non-sensitive logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (73)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The README presents Evolver as a non-executing prompt generator, but elsewhere documents worker-pool task execution and command execution during validation. That mismatch can cause operators or host runtimes to grant trust under a false assumption of passivity, increasing the risk of unsafe deployment in environments with shell and network permissions.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The manifest/description frames the skill as a self-evolution engine, but the README also documents automatic GitHub issue filing with sanitized logs and environment information. Omitting this external reporting behavior from the primary description is a security-relevant transparency gap because users may not expect outbound disclosure of operational data.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
Automatic GitHub issue creation is only loosely related to the core self-evolution purpose and introduces an external data egress path using privileged credentials. In a skill with network and shell permissions, extra reporting behavior expands the attack surface and can be abused to exfiltrate error-derived context or create unauthorized external side effects.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Automatic GitHub issue reporting transmits failure data, repository context, and uses repository-scoped credentials to an external service. In a self-evolving agent with network and shell permissions, this creates a real exfiltration and unintended external-action surface, especially if log redaction is incomplete or attacker-controlled inputs influence issue contents.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The README claims the tool will not execute arbitrary shell commands, yet later documents execution of Gene validation commands and shell-based operational actions. In this skill context, that mismatch is dangerous because users may trust the safer description while enabling features that do execute commands, increasing the risk of unsafe validation payloads or operational misuse.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The manifest presents this as a self-evolution engine, but the code also downloads external skills from a remote hub and installs them locally. That materially expands the trust boundary from local self-modification to remote content acquisition, creating a supply-chain risk where untrusted skills can be introduced into the agent environment.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The fetch command retrieves remote skill content and bundled files, then writes them into a local skills directory with no integrity verification beyond the transport and no sandboxing. In a system intended for agent capability evolution, this enables capability expansion from remote inputs and can introduce malicious or unsafe code/content into the local environment.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
This script can mirror build output to a public GitHub repository, create public releases, and publish packages to ClawHub, which is a material outbound publishing capability unrelated to the stated self-evolution function. In a skill with network and shell permissions, this meaningfully increases the risk of unintended or unauthorized code/data exfiltration and public distribution if invoked by an agent or automation without strong operator awareness.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The code creates GitHub releases and publishes to ClawHub using available credentials and environment variables, enabling external distribution of artifacts under automation control. Because the skill's declared purpose does not justify public software release operations, this constitutes an overprivileged and potentially dangerous capability, especially if runtime history or build output can be influenced upstream.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill's declared purpose is protocol-constrained self-evolution, but this block also performs autonomous package/skill updates by invoking an external CLI with forced update flags. That materially expands behavior from self-analysis into self-modification of installed components, creating a supply-chain and unauthorized-change risk if the update source, path resolution, or execution context is compromised.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
This code executes the contents of `INTEGRATION_STATUS_CMD` via `execSync`, which is effectively arbitrary shell execution controlled by environment input. In a skill with shell and network permissions, any attacker who can influence environment variables gains code execution in the agent context, far beyond the stated self-evolution purpose.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill reads broad session artifacts from home-directory agent sessions and optional transcript directories, which exceeds a narrow interpretation of runtime-history analysis and increases data exposure. While log ingestion may support evolution, the scope is broad enough to collect unrelated user content and operational data without clear minimization or consent boundaries.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
This module does more than local protocol formatting: it automatically registers with an external hub, sends recurring heartbeats, and long-polls for events. In a skill with network and shell permissions and a description focused on self-evolution, this creates an undisclosed external control and telemetry channel that could leak operational metadata and allow remote tasking behavior beyond user expectations.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The code derives a stable node identifier from machine characteristics and persists it locally, and elsewhere in the module also persists node secret material under the user's home directory. Persistent machine-linked identity and secret storage increase privacy and security risk because they enable long-term tracking and create credential material on disk that may be reused or stolen if file protections fail or the host is compromised.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This module creates a stable per-host or per-container identifier by deriving it from machine ID, hardware UUID, container ID, hostname, and MAC addresses, then persists it across runs. For a self-evolution skill, this enables cross-session tracking of a node beyond the immediate runtime and collects host-identifying signals that are not clearly necessary for the stated purpose, creating privacy and surveillance risk if the identifier is transmitted or correlated externally.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The code invokes the macOS ioreg command to retrieve IOPlatformUUID, a hardware-tied identifier, which expands the skill's ability to fingerprint the host beyond what is apparent from a self-evolution engine. Even though execFileSync avoids shell injection, the behavior still gathers sensitive system identity data and increases the persistence and trackability of the agent across upgrades and directory changes.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The code executes platform-specific shell and PowerShell commands to inspect host idle time, including writing and running a temporary PowerShell script with ExecutionPolicy Bypass on Windows. Even though the commands are not built from untrusted input, this still expands the skill's host-observation capabilities and normalizes subprocess-based system interrogation in an agent component with shell and network permissions.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
This module adds an autonomous outbound reporting capability that is broader than the stated self-evolution purpose and can exfiltrate operational data to an external repository. In the context of an agent with network and shell permissions, silently opening GitHub issues with logs and environment details increases data disclosure risk and creates an unexpected external side effect.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code reads GitHub credentials from environment variables and uses them to perform external writes, enabling autonomous actions under whatever privileges the token has. Even though the token itself is not leaked here, using ambient credentials for unprompted network operations is dangerous because it can create unauthorized issues, abuse CI secrets, or expand the blast radius if the skill is triggered unexpectedly.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The comments state that logs and environment info are sanitized, but the issue body includes raw intent and gene values from recent events without redaction. If those fields can contain sensitive prompts, identifiers, strategy names, or attacker-controlled content, the module may disclose internal state or embed untrusted text into public or shared issue trackers.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The code presents itself as an LLM-based safety review, but the invoked subprocess always returns an approval result without performing any real analysis. In a self-evolving agent with shell and network permissions, this creates a deceptive control that can cause unsafe or malicious mutations to be treated as reviewed and approved, undermining a critical safety gate.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The prompt builder injects environment-derived fingerprint data and an arbitrary EVOLVE_HINT directly into the model prompt, giving the model access to potentially sensitive runtime context and operator-controlled instructions. In a self-evolving agent with network and shell permissions, this materially increases the chance of prompt injection, secrets leakage, and unsafe tool-use decisions driven by untrusted context.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The distiller automatically publishes synthesized genes to an external Hub after local generation, which introduces network exfiltration of generated content and autonomous outbound side effects without an explicit approval step in this flow. In a skill with both network and shell permissions, self-generated artifacts may encode sensitive operational history or unsafe strategies, so automatic publication expands trust boundaries and can leak or propagate unreviewed behavior.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
This file implements outbound publication of generated skill content to a remote Hub, which extends beyond a narrowly described self-evolution/local analysis role and can transmit derived data off-host. In a skill with network and shell permissions, silent marketplace publication increases the risk of unintended exfiltration of prompts, operational metadata, or sensitive runtime-derived content embedded in the generated SKILL.md or tags.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
This file does substantially more than local self-evolution: it automatically publishes generated capsules/genes, publishes failure-derived anti-patterns, submits Hub reviews, and completes remote Hub tasks. In a skill with both network and shell permissions, that expands the trust boundary from local optimization to autonomous external coordination and data exfiltration, which is dangerous if users/operators were not explicitly expecting remote side effects.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal