ClawHub

leader-skill(create--leader)

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it needs review because it can collect and store sensitive workplace chats/documents while profiling a leader’s weaknesses and replacement path.

Install only if you have clear authorization to process the workplace data involved. Avoid private chats, coworker identifiers, and company documents unless all required consent and workplace approvals are in place, and review/delete generated profiles, knowledge files, backups, tokens, and ~/.create-leader configuration when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (35)

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill instructs bulk workplace surveillance and ingestion of messages, docs, meetings, and reports far beyond what is necessary to provide generic leadership coaching. In context, this creates a reusable dossier on a real person and increases the risk of privacy violations, insider misuse, and unauthorized profiling.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Private-chat collection using access tokens introduces credentialed access to sensitive communications that are especially likely to contain confidential or personal information. This is dangerous because it normalizes harvesting private workplace conversations to profile an individual, which can enable privacy abuse and policy violations.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill includes a destructive shell operation (`rm -rf leaders/{slug}`) unrelated to the core analytical purpose and exposes deletion through a parameterized command. If misused or insufficiently validated, this can cause data loss and expands the blast radius of the skill beyond content generation.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The ethics section attempts to frame the skill as benign self-improvement, but the operational core explicitly prioritizes identifying weaknesses and planning how to replace a leader. This contradiction is dangerous because it can mislead reviewers and users about the true risk profile while still facilitating adversarial profiling behavior.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The prompt directs collection of private chats, shared group messages, documents, wikis, and tables that go well beyond the stated leadership-analysis purpose. This creates unnecessary surveillance and over-collection of highly sensitive workplace data, including third-party communications that may not be relevant or consented to.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The prompt includes directory-scoping steps to discover another person's open_id, enabling identification and targeting of coworkers without clear necessity for the advertised function. In context, this supports surveillance and data gathering on third parties, making abuse against employees or managers substantially easier.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The prompt instructs sending a message to a target user solely to retrieve a private chat_id, which is an active interaction with a third party unrelated to safe passive analysis. This creates a capability to contact or probe coworkers and establish access paths into private conversations under the guise of leadership analysis.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Allowing the agent to bypass the provided collector and instead write arbitrary API scripts turns the skill into a general Feishu automation and data-extraction framework. That flexibility weakens safety boundaries, makes auditing harder, and increases the chance of unauthorized collection or misuse of credentials and tokens.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The prompt explicitly instructs the agent to regenerate and overwrite persistent skill artifacts under leaders/{slug}/, which expands the skill from analysis into repository content management. In this skill context, that is risky because the broader skill is designed to distill sensitive workplace data about a leader, including weaknesses and replacement strategies, so automatic persistence can create durable sensitive dossiers and modify operational artifacts without clear user consent or scope controls.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The backup step invokes a local python3 command against a version-management script, giving the prompt authority to execute local code rather than only analyze text. Even if intended for backups, this broadens the attack surface to command execution and could be abused if parameters, environment variables, or surrounding tooling are manipulated.

Context-Inappropriate Capability

Low
Confidence
80% confidence
Finding
Allowing ingestion from Feishu/DingTalk links adds external data collection capability that is not clearly bounded in the skill description or accompanied by privacy and authorization checks. In this skill’s context, those links may contain highly sensitive workplace communications, making unauthorized collection and downstream persistence more dangerous than in a generic document-processing skill.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The file explicitly instructs users to identify a leader’s 'fatal weaknesses,' relationship conflicts, power dependencies, and exploitable timing for replacement, while only adding a superficial ethics disclaimer. That disclaimer does not neutralize the operational guidance; instead, it legitimizes collection and strategic use of sensitive interpersonal weaknesses in a workplace context, which can enable manipulation, retaliation, or targeted career harm.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The rollback flow deletes the existing knowledge directory with shutil.rmtree() and replaces it from a selected backup without any confirmation, dry-run mode, or path-safety checks. If invoked with an unexpected slug/base-dir combination or on the wrong target, it can cause destructive local data loss and unauthorized replacement of skill content.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README advertises automatic Feishu/DingTalk data collection but does not warn about consent, privacy, retention, or access boundaries. In a workplace context, this can lead users to ingest sensitive employee communications or corporate data without understanding the legal, ethical, and security implications.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Referencing Feishu private chat collection without a prominent warning normalizes access to highly sensitive direct messages. Because private chats often contain confidential business information and personal data, this materially increases the risk of unauthorized surveillance, privacy violations, and downstream misuse in model building.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger set is broad enough to activate on ordinary workplace-advice requests, causing the skill to enter a high-risk workflow without clear user intent. In this skill, accidental activation is more dangerous than usual because the workflow leads into surveillance, persistence, and replacement-oriented profiling.

Vague Triggers

Medium
Confidence
87% confidence
Finding
Ambiguous evolution triggers like 'that's wrong' or 'append' can match normal conversation and silently modify stored profiles. Because this skill persists sensitive dossiers, unintended updates can corrupt records, expand retained data, or cause the system to treat ordinary feedback as authorization to alter files.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The English triggers overlap with common requests for workplace help, making unintended activation likely for benign users seeking advice. In this context, accidental activation can funnel users into a workflow that collects and stores sensitive third-party information about managers.

Vague Triggers

Medium
Confidence
86% confidence
Finding
Natural correction phrases are treated as workflow control signals, which can cause ordinary chat to mutate persisted artifacts. When the persisted artifacts are behavioral profiles of real people, accidental state changes create both privacy and integrity risks.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The example shows the assistant reading newly provided files and offering to append extracted information into an existing leader profile, then persisting the update after a simple confirmation. Because this skill stores sensitive workplace inferences about real individuals, insufficient warning about persistence, provenance, and possible misclassification can lead users to unknowingly create or contaminate a long-lived dossier that may later be used for manipulation, retaliation, or unfair profiling.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The correction flow records user-supplied claims as persistent updates to the leader skill without an explicit warning that stored behavioral assessments are being modified and versioned. In this skill's context—analyzing leaders, weaknesses, and replacement paths—this makes it easy to permanently encode biased, false, or adversarial narratives about a person, increasing the risk of harmful downstream advice and reputation damage.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The prompt explicitly instructs the agent to edit multiple files, append records, and regenerate `SKILL.md`, but it does not require explicit user confirmation or warn about overwrite side effects. In an agent setting, this can lead to unintended persistent modifications to project artifacts, especially when a casual correction request triggers broad file updates.

Missing User Warnings

Low
Confidence
86% confidence
Finding
The instructions require automatic updates to `meta.json` fields such as version, timestamp, and correction count without notifying the user. While lower impact than content rewrites, silent metadata mutation can still create audit confusion, trigger downstream automation, or misrepresent the state of the skill without informed consent.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill tells the agent to collect private chats, documents, and tables but does not prominently warn about privacy, third-party confidentiality, employment sensitivity, or consent requirements. Because the data includes workplace communications and content from other people, omission of these warnings materially raises the risk of covert or inappropriate surveillance.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The prompt asks for app credentials, OAuth codes, and user access tokens without clear secret-handling precautions. These credentials enable direct API access to enterprise communications, so mishandling them could expose organizational data well beyond a single analysis session.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal