ClawHub

Local Bookmark Librarian

Security checks across malware telemetry and agentic risk

Overview

This skill is a local, mostly read-only bookmark/report helper, but users should keep its input narrowly scoped to exported bookmark or link files.

Install only if you intend to use it on exported bookmark copies, CSV/link lists, or a dedicated bookmark folder. Do not point it at your home directory, browser profile, source repositories, or other private folders, because reports may include local file names, paths, headings, and sampled content. Review generated output before making any browser changes or deleting links.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill advertises executable capabilities via `python3` and implies reading input files and writing output files, but it does not declare any corresponding permissions. That mismatch weakens reviewability and can lead operators or enforcement layers to grant broader access than intended, increasing the chance of unauthorized local file access or shell execution.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
This is a significant scope mismatch: the skill claims to only reorganize exported bookmarks, but the detected behavior suggests arbitrary directory scanning, CSV/TSV inspection, pattern-based high-risk content scanning, and even auditing other skills. A user invoking a bookmark-organizing skill would not reasonably expect broad local inspection or multi-mode analysis, which creates a real risk of over-collection of sensitive data and misuse of shell/file access.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
The script’s dispatch logic supports multiple generic audit modes such as directory, CSV, pattern, and skill auditing that are unrelated to the declared bookmark deduplication/reclassification purpose. This capability mismatch expands what the skill can inspect on the local filesystem and increases the risk of unintended data access or repurposing as a general local reconnaissance tool.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The pattern_audit feature scans arbitrary files/directories for secrets, private URLs, and shell-execution patterns, which is outside the stated bookmark librarian use case. In context, this creates a local inspection capability that can expose sensitive content from unrelated files if a user points the skill at a broader directory.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill_audit functionality audits package structure and frontmatter for arbitrary skill directories, which is unrelated to bookmark management. While not directly destructive, it broadens the skill into a generic local auditing utility and can reveal project metadata and file presence beyond the user’s expected bookmark workflow.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger examples are broad everyday phrases like '整理我的书签并去重' and '按主题重建目录', which can overlap with normal user requests and cause the skill to be selected unintentionally. In a routing or auto-invocation system, this can lead to the skill acting on local files when the user only intended general advice, increasing the chance of unintended data exposure or confusing workflow execution.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal