ClawHub

Principles

Security checks across malware telemetry and agentic risk

Overview

This is a local note-organizing skill that creates and updates a personal folder in the workspace, with no evidence of hidden network access, credential use, or destructive behavior outside that purpose.

Install this only if you are comfortable with the agent creating and maintaining a personal/ folder in your workspace. Avoid storing secrets there, and review inbox.md before running processing if you want to preserve raw notes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill advertises broad natural-language triggers such as 'asks to capture a thought, process their inbox, review principles, or log wisdom,' which can cause the agent to activate in situations where the user did not explicitly intend to invoke this skill. Because the skill creates and modifies persistent files under `personal/`, unintended activation can lead to unrequested writes, reorganization of notes, or inbox processing with side effects.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs the agent to create a `personal/` directory tree on first use and to read, route, clean up, and update multiple files, but the user-facing description does not clearly warn that persistent workspace files will be created and modified. This lack of disclosure increases the risk of surprising or unauthorized state changes, especially when combined with broad invocation phrases and automated inbox cleanup.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal