Pluginvv1.0.1.0

ClawScan security

pskoettselfimproving · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 24, 2026, 1:06 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's description is vague but the package contains a large Instagram data export (messages, media, device/security logs) and a prompt-injection signal (unicode-control-chars), which is disproportionate and potentially dangerous given there's no justification or instructions for accessing that data.
Guidance: Do not install this skill without clarifying its purpose and why it includes what looks like a full Instagram data export (messages, media, device/login history). The bundle contains sensitive personal data that could be read or leaked by the agent. Ask the publisher to explain exactly what the skill does, remove any personal data that isn't necessary, and provide explicit runtime instructions describing which files (if any) will be accessed. If this is someone else's personal archive or you don't own the data, refuse installation. If you must test it, run the skill in a tightly isolated sandbox, review all included files offline, and confirm there are no embedded hidden instructions (unicode control chars) or external endpoints. When in doubt, decline — the package as provided is disproportionate and risky.
Findings: [unicode-control-chars] unexpected: Unicode control characters were detected in the SKILL.md content. With an otherwise-empty SKILL.md and many included files, this is suspicious — such characters are a known vector for prompt-injection or stealthy instruction embedding and are not expected for a legitimate 'self-improving agent' description.

Review Dimensions

Purpose & Capability: concernThe name/description ('pskoettselfimprovingagent') gives no clear purpose, yet the bundle includes ~74 files that appear to be an Instagram data archive (messages, profile/media, security/login logs, device info). That volume and sensitivity of data is not explained or justified by the stated purpose.
Instruction Scope: concernThe SKILL.md is effectively empty (just a title and one-line description) and does not document any expected runtime behavior, but the skill bundle contains many sensitive files. The instructions do not explicitly limit reading or transmitting those files; having them bundled gives the agent access and could lead to reading/transmitting private data. A prompt-injection pattern (unicode-control-chars) was detected in the SKILL.md content, suggesting an attempt to influence agent behavior.
Install Mechanism: noteThere is no install spec (instruction-only), so nothing will be downloaded or executed during install. However, the package already includes many files (media, HTML message exports, mp4), which will be available to the agent at runtime — this is a privacy/data-exposure risk even though install is low-risk.
Credentials: concernThe skill requests no environment variables or credentials, which is good, but it contains highly sensitive personal data (private conversations, device/login history, media). That sensitivity is disproportionate to the absent/unclear declared purpose and creates a risk of accidental disclosure by the agent.
Persistence & Privilege: okThe skill is not marked 'always: true' and does not request additional platform privileges. It is user-invocable and may be invoked autonomously by the agent (default), which is normal — the main problem is the sensitive data bundled with the skill, not persistent privileges.