ClawHub

Clipboard History

Security checks across malware telemetry and agentic risk

Overview

This clipboard-history skill is not malicious, but it asks to automatically retain sensitive clipboard contents and has messy, overly broad trigger text that could expose saved clipboard data unexpectedly.

Install only if you are comfortable with a local clipboard log being created. Treat it as sensitive storage: avoid copying passwords or tokens while it is active, clear the history regularly, and prefer a version that requires explicit opt-in, has clear delete controls, and asks before showing or restoring saved clipboard contents.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
87% confidence
Finding
These trigger phrases are broad enough to match ordinary user conversation about clipboard or copied text, which can cause the skill to activate unexpectedly. In a clipboard-history skill, unintended activation is more dangerous because the feature deals with potentially sensitive copied data and could expose or restore private content without clear user intent.

Vague Triggers

Medium
Confidence
92% confidence
Finding
This merged trigger block includes unrelated phrases such as references to percussion content and opaque identifiers, making invocation criteria unpredictable. Ambiguous triggers increase the chance that unrelated user input will invoke a skill that handles sensitive clipboard history, leading to accidental disclosure or misuse.

Vague Triggers

Medium
Confidence
92% confidence
Finding
This additional trigger block again mixes unrelated phrases with the clipboard-history function, making it unclear when the skill should run. Because clipboard history may contain passwords, tokens, or personal text, accidental activation can expose sensitive entries to the user or another observer at the wrong time.

Vague Triggers

Medium
Confidence
91% confidence
Finding
Using opaque identifiers and unrelated phrases instead of specific activation conditions makes the skill easy to trigger accidentally and hard to audit. In context, this is a real security concern because the skill's core function is access to retained clipboard contents, which are often sensitive.

Ssd 3

Medium
Confidence
94% confidence
Finding
The skill explicitly states that every copied item is automatically retained in a local history file, creating a standing log of potentially sensitive user data such as passwords, API keys, personal messages, or financial information. Even without network access, local persistent storage materially increases exposure through shoulder-surfing, unauthorized local access, backups, malware, or accidental display of historical entries.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal