ClawHub

Skill Tracker

Security checks across malware telemetry and agentic risk

Overview

This is a local skill-usage tracker that matches its stated purpose, but it creates persistent local logs that may include user, session, and error metadata.

Install only if you are comfortable keeping a local activity history of skill calls. Protect or periodically delete the data directory, avoid passing secrets, tokens, personal data, or raw exception text into context/error fields, and use this tracker only with skills whose usage you intentionally want recorded.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill explicitly states it requires filesystem read/write access and stores persistent data, but no corresponding permissions are declared in the metadata. This creates a trust and review gap: operators may install the skill believing it has no sensitive capabilities, while it can in fact read and write local files for stats and logs.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The skill is presented as a privacy-preserving local usage tracker, but the documented integration examples and config indicate it may persist raw context, error details, and per-invocation logs in usage-log.jsonl. That is materially broader than simple aggregate statistics and can capture sensitive user, session, or operational data, increasing privacy and data-retention risk.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill advertises privacy-preserving local statistics, but it writes user, channel, session_id, success state, and error context to disk in a JSONL log. Even if storage is local, this is still persistent telemetry that can expose identifiable or sensitive operational metadata to other local users, backups, or later compromise.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The code claims file-lock/concurrent-safety support, but the implemented lock is only an in-memory Map, which does not synchronize across multiple Node.js processes or restarts. In multi-process deployments this can cause race conditions, lost updates, and corrupted or inconsistent statistics files, undermining integrity guarantees.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill advertises privacy protection via local storage, but it persistently records per-call user, channel, session_id, success, and error details in a structured usage log. Even if data stays local, this still creates a sensitive activity trail that may expose identifiers, operational context, and error contents to anyone with filesystem access or through later log exfiltration.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly encourages logging user identifiers, session IDs, and error details into local files, but it does not clearly warn that these fields may contain sensitive personal or secret data. Even with local-only storage, such logs can expose PII, credentials, tokens, or internal details to other local users, backups, or later compromise, making this a real privacy/security weakness.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The manual trigger phrase '使用报告' is broad enough to match ordinary conversation and unrelated requests, which can cause unintended activation of the skill. In a tracking/reporting skill, accidental invocation may expose internal usage statistics or create confusing side effects during normal chat.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The phrase '查看技能使用情况' is ambiguous and resembles normal user language, making false activations plausible. Because the skill can surface stored statistics and possibly detailed logs, accidental triggering can reveal metadata that users did not intend to request.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The usage logger persists contextual user data to disk without any visible warning, consent flow, or clear disclosure in the code path. In a tracking skill, this makes the issue more dangerous because the core feature normalizes ongoing telemetry collection, increasing the chance of silent privacy violations and retention of sensitive metadata.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The tracker writes user/context metadata to persistent files without any visible consent, notice, or caller-side disclosure mechanism. In an agent skill context, hidden telemetry is more dangerous because users and integrators may assume the skill only performs its advertised function and may unknowingly submit identifying or sensitive operational data to local logs.

Ssd 3

Medium
Confidence
95% confidence
Finding
The logging path stores context fields and raw error information in plain JSONL without minimization or sanitization controls. This is risky because error strings and session metadata often contain secrets, internal paths, identifiers, or operational details, and persistent plaintext logs widen the exposure window far beyond the original skill invocation.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal