ClawHub

Chat History Analyzer

Security checks across malware telemetry and agentic risk

Overview

This skill locally reads recent Cursor chat history and optional OpenClaw logs, then saves local journal summaries; the behavior is sensitive but disclosed and purpose-aligned.

Install only if you are comfortable with recent Cursor chats, and optionally OpenClaw logs, being analyzed locally and summarized into plaintext files under your OpenClaw journal. Run it manually first, inspect the generated output, avoid using it on chats containing secrets or private data, and enable the hourly cron job only if you want recurring local monitoring.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill explicitly writes analyzed chat contents to the journal directory, but the metadata shown does not declare corresponding permissions. Undeclared file-write capability weakens user consent and security review because a skill can persist potentially sensitive derived data without clear upfront authorization boundaries.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill is presented as a chat-history analyzer, but the documented usage also runs analyze_logs.py to inspect OpenClaw/self-optimizer logs and produce combined reports. This broader behavior increases the data access surface beyond user expectations, creating a transparency and consent failure around what local information is collected and processed.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script's documented and implemented behavior goes beyond the stated skill purpose of chat history analysis by also performing OpenClaw log analysis. In a security-sensitive agent ecosystem, this kind of scope expansion increases data access and processing beyond user expectation, which can expose operationally sensitive logs and violate least-privilege assumptions.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The code imports and executes a separate self-optimizer capability from another skill path, creating hidden cross-skill coupling and expanding the trust boundary. This is dangerous because it allows a chat-history-analysis skill to invoke unrelated code with access to local logs and home-directory data, increasing the chance of unintended data collection, privilege misuse, or execution of less-reviewed functionality.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The script's documented purpose is chat history analysis, but it explicitly states it also performs self-optimizer log analysis. This is a scope expansion vulnerability because it causes the skill to access and process additional user/system data beyond the declared behavior, undermining informed consent and least-privilege expectations.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Importing and invoking SelfOptimizer introduces analysis of OpenClaw logs that is unrelated to the declared chat-history-only function. In an agent skill context, hidden secondary data access is dangerous because users and orchestrators may grant trust based on the manifest, while the code silently processes broader telemetry.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This block actively reads from ~/.openclaw/logs and reports on errors, restarts, config changes, and suggestions, exceeding the advertised chat-history analysis scope. Access to operational logs can expose sensitive environment details, system behavior, or configuration information that users did not expect this skill to inspect.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly describes extracting Cursor IDE chat history from SQLite databases and saving derived reports to a journal path, but provides no warning, consent model, retention guidance, or privacy controls for potentially sensitive conversation content. Because chat history can contain credentials, proprietary code, internal discussions, or personal data, normalizing automated collection and persistence increases the chance of unintended disclosure or secondary exposure.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill processes local Cursor chat history, which may contain secrets, source code, credentials, or sensitive work discussions, and then persists extracted findings to disk. Without a prominent privacy warning and data-handling disclosure, users may enable scheduled analysis without understanding that sensitive conversation content is being mined and summarized.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script extracts chat history, analyzes it, and persists the derived content to a journal file without any user-facing warning, consent flow, or sensitivity filtering. Because IDE chat histories often contain source code, secrets, internal URLs, credentials, or debugging traces, silently storing summaries can create a durable secondary copy of sensitive data and expand exposure if the journal is later read or synced.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill is designed to read Cursor chat history, which can contain sensitive prompts, code, secrets, internal URLs, and debugging output, and later persist derived excerpts to disk. Even if this is the intended feature, collecting and re-saving chat content without clear consent, minimization, or redaction creates a real privacy and data-exposure risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
At the write step, the script persists excerpts of user/assistant chat content directly into a journal markdown file, creating a second copy of potentially sensitive material in a predictable location. This increases exposure surface because data that was originally confined to Cursor storage is now duplicated in another plaintext artifact that may be synced, backed up, indexed, or committed accidentally.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The script analyzes chat history and persists derived findings to a journal without any user-facing notice, consent prompt, or data-handling warning. Because chat transcripts may contain secrets, credentials, proprietary code, or personal information, silent persistence increases the risk of unintended retention and secondary exposure.

Ssd 3

Medium
Confidence
97% confidence
Finding
This is a straightforward data leakage path: raw or lightly processed chat contents are copied from Cursor's databases into a human-readable journal file. Because chats often include confidential code, tokens, stack traces, customer data, or security discussions, the journal can become an unintended disclosure point to local users, backup services, search indexers, or source-control workflows.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal