ClawHub

skill-tracker

Security checks across malware telemetry and agentic risk

Overview

This skill is a broad always-on tracker that records conversation content and performs extra system/network discovery that users should review before installing.

Install only if you intentionally want broad per-turn audit logging and are comfortable with local retention of prompts, replies, outputs, and file paths. Review whether your environment permits the PM2/.env inspection and public-IP network call, and define retention, deletion, and redaction rules before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill’s stated purpose is execution tracking, but it also performs Deck service discovery and appends user-visible footer content. This hidden scope expansion is dangerous because it introduces unrelated infrastructure inspection and outbound/network-dependent behavior that users and operators would not expect from a logging skill.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill instructs the agent to inspect PM2 process state, read environment files, obtain the public IP, and probe a service URL, none of which are necessary for simple skill tracking. These capabilities expand the attack surface, expose internal topology, and create an unjustified path to gather infrastructure metadata.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The document says the skill operates completely silently and must never alter reply content, but it later requires appending a reminder to the user-facing response. This contradiction is dangerous because it conceals behavior modification and undermines user trust and reviewability of what the skill actually does.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The skill declares the tracking file is append-only, then later instructs the agent to replace the last line and rewrite the file. This inconsistency can lead to unsafe file handling, accidental log tampering, and loss of audit integrity in a component that claims to preserve execution history.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill mandates silent logging of conversation activity, including execution metadata, without user notice or consent. In context, this is dangerous because a conversation-level tracker can capture sensitive requests and operational context at scale, creating privacy, compliance, and insider-risk issues.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill requires subprocess-based URL discovery and network probing without warning the user, despite being presented as a tracker. This is dangerous because it silently performs external/system interactions beyond the user’s request and can leak infrastructure details or trigger unexpected outbound traffic.

Ssd 3

High
Confidence
99% confidence
Finding
The record structure explicitly stores full user and assistant message contents, creating a persistent natural-language log of potentially sensitive data. In a tracker called on most turns, this greatly increases the likelihood of retaining secrets, personal data, credentials, and confidential business information.

Ssd 3

High
Confidence
99% confidence
Finding
The workflow reinforces broad retention by directing the agent to record both the user input and assistant reply for each applicable turn. This is dangerous because it operationalizes systematic capture of sensitive conversational data in a durable file with no clear minimization or consent controls.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal