ClawHub

RootCraft Learning System

Security checks across malware telemetry and agentic risk

Overview

This is a learning-method skill that creates local study materials, with no evidence of hidden credential use, exfiltration, or destructive behavior outside its study workspace.

Install if you are comfortable with a study assistant that may create and replace local files in the OpenClaw workspace. Use distinct topic names to avoid overwriting earlier materials, and avoid entering confidential study content unless local persistence is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The README advertises very generic invocation phrases such as "I want to learn..." and "Help me create a study plan...", which are broad enough to overlap with many normal user requests unrelated to this specific skill. In an agent environment that routes skills by matching trigger phrases, this can cause unintended activation, leading to inappropriate context capture, user confusion, or interference with more relevant skills.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger keywords are extremely broad and match common educational or conversational phrases, which can cause the skill to activate in contexts where the user did not explicitly intend to invoke it. This creates an unsafe prompt-selection boundary and can lead to unsolicited behavior, including file-writing flows described elsewhere in the skill.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill instructs the agent to proactively recommend or engage the workflow on broad utterances like 'I don't understand' or 'I want to learn', without clear user consent boundaries. In an agent environment, this increases the chance of unintended invocation and escalation into automatic content generation or saving actions the user did not request.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly instructs automatic saving of detailed study content to local filesystem paths and shows code to perform those writes, but does not require clear user awareness or consent at the point of write. This can persist sensitive user-provided study topics, notes, or generated content to disk unexpectedly, creating privacy and data-retention risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Advertising CSV export, review schedules, and automatic generation of Anki/importable artifacts without a privacy notice or retention warning can expose personal learning content, vocabulary, or user-entered material in persistent files. Even if the content seems benign, study topics may include sensitive professional, medical, legal, or personal subjects, making silent export risky.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The function bulk-creates and overwrites multiple files under a fixed workspace path using attacker-controlled content, with no confirmation, no non-destructive mode, and no overwrite protection. In an agent setting, this can silently clobber existing study materials or poison downstream workflows that consume those files, making unintended data loss and persistence of untrusted content more dangerous than in a purely interactive local script.

Missing User Warnings

Low
Confidence
76% confidence
Finding
The exam-saving function writes 08-exam.md directly and will overwrite any existing file with that name without warning. In this skill context the path is constrained to a workspace subdirectory, so the blast radius is limited, but it still creates a real integrity risk through silent destruction or replacement of user content.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal