ClawHub

Auto Skill Evolver 1.5.1

Security checks across malware telemetry and agentic risk

Overview

This is a powerful but openly documented maintenance skill for running user-chosen training commands and proposing edits to local skills, with no evidence of hidden install behavior or malicious intent.

Install only if you want an administrative skill that can run local commands and modify other skills. Use it in a development or isolated skills directory, keep traces free of secrets, set --allowed-skill-roots when possible, review the printed diff before approving, and prefer hash-based approval over a plain yes token.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (7)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
args = parse_safe_command(command)
    print(f"Executing (safe argv): {args}")
    try:
        result = subprocess.run(args, shell=False, check=True, capture_output=True, text=True)
        return result.stdout, result.stderr
    except subprocess.CalledProcessError as e:
        print(f"Command failed with error: {e}")
Confidence
95% confidence
Finding
result = subprocess.run(args, shell=False, check=True, capture_output=True, text=True)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script delegates optimization to an external local agent CLI and feeds it prompt content derived from trace and feedback files that are explicitly untrusted. Even with warning text in the prompt, this creates an LLM-mediated code/content modification pipeline where a compromised or prompt-injected agent can generate unsafe skill changes, and the script later persists those changes as proposals that may be approved and applied.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The training loop accepts --command and executes it during the workflow, enabling arbitrary local command execution under the guise of training or status operations. That is inconsistent with the stated role of a conversational routing/meta-skill and could be abused to run destructive programs, access local data, or stage further compromise.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The code participates in an automated loop that feeds traces and feedback into an optimizer that rewrites the target skill file. For a skill advertised mainly as conversational routing for propose/status/approve flows, direct file mutation is a powerful side effect that can alter code or prompts beyond user expectations, increasing the chance of unsafe or unauthorized changes.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Even with parse_safe_command blocking obvious shell operators, the design still exposes arbitrary subprocess execution to callers. A conversational skill-evolution router does not inherently need the ability to launch arbitrary binaries, so this creates unjustified attack surface and can be leveraged for local reconnaissance, file manipulation, data exfiltration via trusted tools, or persistence.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Trace contents are read from a file and forwarded into the optimization pipeline without disclosure, minimization, or sanitization. Execution traces can contain secrets, local paths, prompts, tokens, or sensitive user data, and passing them into another component that may rewrite files increases confidentiality and prompt-injection risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
`restore_version` replaces the current skill file after only internal validation and an automatic backup, with no explicit user confirmation, diff preview, or policy gate in this function. In a meta-skill that can evolve and apply changes conversationally, this increases the chance of accidental or unauthorized rollback/overwrite of active skill logic, which can disrupt operation or reintroduce unsafe content.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal