ClawHub

Huo15 Autoresearch Loop

Security checks across malware telemetry and agentic risk

Overview

This skill is an autonomous coding loop that is mostly aligned with its stated purpose, but it can run arbitrary shell commands and broadly commit, reset, or delete repository files without tight user control.

Use only in a clean disposable branch or worktree, after reviewing the verification command and any task command that will be placed in CLAUDE_TASK. Avoid running it in repositories with uncommitted or untracked work, secrets, or important local-only files, and consider disabling automatic commits and rollback before installation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The configuration enables automatic commits on success and automatic reverts on failure, which gives the loop direct authority to mutate repository state rather than merely propose or test changes. In an autonomous iterative system, this increases the blast radius of mistakes, can overwrite work, and may persist unsafe or low-quality changes without explicit human review.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script executes the contents of the CLAUDE_TASK environment variable via eval, which gives arbitrary shell execution with the privileges of the running user. In this skill's autonomous loop context, that is especially dangerous because the command can be repeatedly triggered without validation, scoping, or confirmation, enabling code execution, data exfiltration, or destructive system actions far beyond the stated research purpose.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
On verification failure, the script automatically performs git reset --hard and git clean -fd, which can irreversibly delete tracked and untracked work. In an unattended iterative loop, this creates a high risk of data loss and can destroy unrelated local changes if the repository is not perfectly isolated.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrases include broad natural-language expressions such as '跑起来别停' and '自动循环', which can overlap with ordinary conversation. This makes accidental activation more likely, especially for a skill that can modify files and execute verification commands, turning benign chat into unintended autonomous actions.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill is documented as modifying code, executing a user-supplied verification command, and automatically committing or reverting changes, yet it provides no clear risk warning or consent boundary. In context, this is dangerous because the skill is explicitly designed for repeated autonomous operation, so a mistaken invocation or unsafe command can quickly cause repository damage, destructive reverts, or execution of hazardous shell commands.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill persists iteration state to a file in the user's home directory without clearly warning that local data will be written there. Because the state includes goals, commands, timestamps, and history, it may expose sensitive project details or user activity to other local processes or users depending on file permissions and host setup.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill executes shell commands from CLAUDE_TASK without any user-facing warning, approval, or display of the exact command. Because the command source is an environment variable and the loop is designed for autonomous repetition, users may be unaware that arbitrary code execution is occurring, magnifying the chance of silent compromise.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script performs destructive rollback operations automatically and suppresses command output, so users may not realize local changes are being discarded. This is a real safety issue because hidden destructive behavior in an autonomous tool can cause unexpected loss of work and reduce the user's ability to intervene in time.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal