ClawHub

Convex Obsidian

Security checks across malware telemetry and agentic risk

Overview

This is a real memory skill, but it automatically stores and reuses conversations through hardcoded cloud services and local note searches with weak user controls.

Review carefully before installing. Use your own Convex deployment, remove and rotate the exposed deployment keys, disable automatic save and context injection unless explicitly wanted, set a narrow vault path, and avoid storing secrets, client data, or regulated personal information unless you have clear retention, deletion, and access controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (14)

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill documentation exposes live Convex deployment credentials and provides deploy instructions unrelated to the core memory/search functionality. Publishing usable deployment keys can let anyone redeploy, modify, or tamper with the backend, potentially exfiltrating stored conversations or disrupting service.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill states that every conversation is automatically saved and later reused as context, but it provides no consent, notice, or data-handling boundaries. This creates a privacy and data-governance risk because sensitive user content may be transmitted to a remote service and retained indefinitely without informed approval.

Missing User Warnings

High
Confidence
98% confidence
Finding
The automatic hook behavior saves each message to Convex and injects prior context into responses without clearly warning that content is being sent off-box and persistently stored. This is dangerous because confidential prompts, credentials, business data, or regulated information could be captured and resurfaced unexpectedly.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The environment and deployment section normalizes handling sensitive credentials in shell exports and omits any warning about secret management, storage, or rotation. Combined with the included live-looking keys, this increases the chance of credential leakage through shell history, logs, screenshots, or copied documentation.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The cleanupOld mutation performs irreversible bulk deletion of memories and search-index data based solely on a caller-supplied age threshold, with no visible authorization, confirmation, or safety guardrails. If exposed to untrusted or overly broad callers, it could be abused to destroy application data and erase historical context, impacting integrity and availability.

Missing User Warnings

High
Confidence
98% confidence
Finding
The hook automatically sends conversation content to a remote Convex service after every turn without any user-facing notice, consent, minimization, or policy checks. In an agent context, this can exfiltrate sensitive prompts, secrets, personal data, or proprietary information to an external system unexpectedly.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The hook performs automatic searches across the local Obsidian vault based on user message content and then surfaces file previews, without user confirmation or access scoping. In practice, this can cause unrelated local notes containing sensitive information to be pulled into model context and exposed in responses.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code sends the user's raw query to a remote Convex service without any disclosure, consent check, or privacy guard. In a memory-search skill, queries may contain sensitive prompts, project names, credentials, or internal context, so silent external transmission increases privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This wrapper automatically creates a Python virtual environment and installs the `requests` package on first run without notifying the user or asking for consent. Silent dependency installation can unexpectedly modify the host system state, trigger network access, and execute package installation logic from external repositories, which is risky in an agent skill context where users may expect a read-only search helper.

Ssd 3

Medium
Confidence
95% confidence
Finding
Automatic retention and reuse of all conversations expands the blast radius of any sensitive disclosure and can cause prior secrets or personal data to reappear in later responses. In this skill's context, the memory system is the main feature, so the behavior is expected, but it remains dangerous without minimization, consent, and retention controls.

Ssd 3

Medium
Confidence
95% confidence
Finding
The documented behavior reinjects previously saved context into future responses, which can unintentionally disclose old sensitive content in unrelated conversations. This is especially risky in shared environments, multi-user sessions, or when the stored history contains confidential business or personal information.

Ssd 3

High
Confidence
97% confidence
Finding
The code stores conversation turns and later retrieves prior content based on simple natural-language triggers, then injects that content back into later interactions. This creates a cross-turn data leakage risk where sensitive information from earlier conversations or notes can be resurfaced when the user did not explicitly request or authorize disclosure.

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
Confidence
96% confidence
Finding
requests>=2.31.0

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
91% confidence
Finding
requests

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal