ClawHub

Skill Creator Pro

Security checks across malware telemetry and agentic risk

Overview

The skill largely matches its stated purpose, but it includes high-authority evaluation tooling that can kill unrelated local processes, run background servers, and send skill/eval content through the Claude CLI.

Install only if you are comfortable with a skill that edits and packages skills, runs local Python tooling, uses Claude CLI authentication, and may open browser/server processes. Prefer the static viewer mode, avoid running it in sensitive repositories unless you are comfortable sending skill/eval content to claude -p, and check for port conflicts before using the non-static review server.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill instructs use of shell commands, file reads/writes, environment-dependent tooling, and background processes, but the manifest declares no permissions or capability boundaries. That mismatch can cause the skill to execute with more power than a user would reasonably infer, increasing the chance of unsafe filesystem or command execution during normal use.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The code will terminate any process listening on the requested port, regardless of whether this tool started it. That can kill unrelated local applications or developer services, causing denial of service and possible data loss if the terminated process was in the middle of work.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
This local review UI fetches fonts from Google and SheetJS from a third-party CDN at runtime, which introduces supply-chain and privacy risk that is unrelated to the core purpose of offline/local eval review. If those external resources are unavailable, maliciously modified, or blocked, the viewer may break or execute attacker-controlled JavaScript in the browser context.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The description and trigger guidance are intentionally broad, causing the skill to activate on generic mentions of skill creation, testing, optimization, or descriptions. Over-triggering can route unrelated conversations into a high-capability workflow that performs file, shell, eval, packaging, and browser actions the user did not clearly request.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill explicitly recommends making descriptions 'pushy' to combat undertriggering, which systematically biases future skills toward overbroad activation. In this context, that is dangerous because the same skill also encourages shell execution, subagent spawning, file modification, and packaging, so accidental invocation has meaningful side effects.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The program performs process-killing behavior automatically before server startup and gives the user no warning or confirmation. In a skill intended to create and evaluate other skills, that is more dangerous because users may run it in active development environments where important local services commonly occupy ports.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code sends the generated prompt to `claude -p`, and that prompt explicitly embeds full skill content, current descriptions, eval results, and prior attempt history. If those inputs contain proprietary code, secrets, customer data, or sensitive prompts, they are transmitted to an external model/tool without any consent gate, redaction step, or prominent user-facing warning at the call site.

Missing User Warnings

Low
Confidence
91% confidence
Finding
The script automatically opens a generated HTML report in the user's default browser without prompting or requiring explicit opt-in. While this is not typically a severe security flaw on its own, it can violate user expectations, trigger unintended external application launches, and increase risk if the generated report ever contains untrusted or attacker-controlled content.

Session Persistence

Medium
Category
Rogue Agent
Content
4. **Launch the viewer** with both qualitative outputs and quantitative data:
   ```bash
   nohup python <skill-creator-path>/eval-viewer/generate_review.py \
     <workspace>/iteration-N \
     --skill-name "my-skill" \
     --benchmark <workspace>/iteration-N/benchmark.json \
Confidence
88% confidence
Finding
nohup

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal