ClawHub

Handover Memory Pack

Security checks across malware telemetry and agentic risk

Overview

This is a local handover-document helper that reads user-provided material and writes a draft report, with no evidence of network access, persistence, destructive behavior, or hidden exfiltration.

Install only if you are comfortable with a local Python helper reading the input file you provide and, when requested, writing a Markdown or JSON output file. Use scoped handover documents, avoid pointing it at broad private directories, and redact secrets or sensitive personnel details before sharing generated reports.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill declares no permissions, yet its instructions explicitly allow use of python3 with input/output files and rely on local resources, implying file read, file write, and shell execution capabilities. This mismatch is dangerous because reviewers and policy engines may treat the skill as low-privilege while it can actually access local data and invoke code paths, increasing the chance of unintended data exposure or unauthorized processing.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The stated purpose is a handover-memory formatter, but the detected behavior indicates a broader audit/scanning tool that can enumerate files, inspect CSV/TSV contents, parse skill metadata, and run built-in high-risk pattern scans. That gap is dangerous because users may provide sensitive project directories expecting a scoped handover summary, while the skill may analyze unrelated files and surface secrets, internal URLs, or other sensitive operational data outside the declared use case.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The dispatcher enables multiple generic audit modes such as directory, CSV, pattern, and skill auditing that go beyond the stated handover-memory purpose. This expands the skill into a general filesystem analysis tool, increasing the chance it is used to inspect unrelated local content and expose sensitive project data during normal operation.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code scans arbitrary files for secrets and risky shell patterns, which is unrelated to the declared handover-memory function and can surface sensitive snippets from local repositories. Even though one pattern partially redacts matches, the tool still reports file paths and matched content, creating a data exposure risk if run on broad directories.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill can audit arbitrary skill directories, enumerate expected files, and parse frontmatter metadata, which is not justified by a handover-memory workflow. In practice, this broadens access to repository structure and metadata from unrelated projects, enabling unintended disclosure of internal tooling details.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger phrases are broad, natural-language requests that can plausibly overlap with ordinary user conversation, increasing the chance that the skill is invoked unintentionally. In a handover/knowledge-transfer context, accidental activation could cause unrelated content to be reorganized into a handover artifact and may expose sensitive operational or personnel details that were not meant for this workflow.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal