ClawHub

Project Knowledge Graph

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed local project knowledge-indexing tool, but users should review its persistent cross-project indexing and local index deletion commands before use.

Install only if you are comfortable with a persistent local index of the configured project roots and installed skills. Run the dry-run first, edit PROJECT_ROOTS to exclude sensitive projects, keep FalkorDB on localhost unless you intentionally trust a remote host, and remember that delete --all removes the local index without a second confirmation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The skill is presented as a local read-oriented knowledge graph, but the documentation also exposes deletion operations and admits data can be sent to a non-local FalkorDB host via environment override. That mismatch is dangerous because users may invoke the skill expecting only local indexing/search while it can destroy indexed data or exfiltrate project content to a remote service under alternate configuration.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The security/scope section says writes are limited to MERGE-only with no deletions, yet later documentation advertises a delete command that removes graph data. False security assurances are risky because operators and higher-level agents may make trust decisions based on them and permit actions they would otherwise restrict.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger regexes are broad natural-language patterns such as 'what did we learn' and 'search across project', making accidental invocation plausible during ordinary conversation. In this skill's context, unintended activation is more concerning because it reads across multiple projects and may index or query sensitive cross-project material without the user's deliberate intent.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The delete operation allows irreversible removal of all indexed chunks, including via --all, without any confirmation prompt or additional safeguard. In a cross-project knowledge tool, this increases the chance of accidental or scripted data loss affecting the entire local corpus, especially because it aggregates artifacts from multiple projects in one graph.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal