ClawHub

Scribe

Security checks across malware telemetry and agentic risk

Overview

Scribe appears locally focused, but it broadly gathers private chats, drafts, memories, preferences, logs, and config into persistent notes without enough user controls.

Install only if you deliberately want a local journal that may include private Cursor conversations, unpublished drafts, logs, memory, and preference files. Review or modify the script before use, avoid scheduled runs until you are comfortable with the retained plaintext notes, and keep the Notes directory out of sync, backups, and commits unless you have reviewed its contents.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (18)

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The skill claims to scan OpenClaw artifacts, but it also accesses Cursor application data under the user's home directory, outside the declared OpenClaw scope. That expands collection into unrelated editor data and can silently ingest private conversation or workspace state the user did not reasonably expect this skill to touch.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The SQLite query is intentionally broad, matching generic keys like '%chat%', '%ai%', '%history%', and '%conversation%' across Cursor state databases. This can pull far more information than needed for note generation, including unrelated or sensitive records, creating an unnecessary over-collection and privacy exposure risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly advertises scanning highly sensitive sources including logs, config files, chat history, memory, drafts, and behavior/preferences files, but does not present a clear privacy warning, consent model, or data-minimization guidance. In the context of an agent skill, this can normalize excessive collection of personal and operational data and lead users to run the tool without understanding the breadth of exposure.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README states where notes are written but does not clearly warn that execution creates persistent summary files that may contain copied or derived sensitive information from the scanned sources. This is dangerous because users may unintentionally generate new consolidated artifacts that are easier to exfiltrate, index, sync, or commit than the original scattered data.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The description advertises scanning chat history, behavior/preferences, desires, tastes, and drafts without a prominent warning that these are highly sensitive personal data sources. This is dangerous because users may enable the skill without understanding the privacy exposure or the downstream persistence of extracted content into notes.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The description authorizes scanning an extremely broad set of sources, including logs, config files, chat history, cursor history, behavior, desires, tastes, and drafts, without clear boundaries, minimization, or consent language. In a note-taking skill, this ambiguous scope can enable overcollection of sensitive data far beyond what is necessary, increasing privacy, surveillance, and data misuse risk.

Natural-Language Policy Violations

High
Confidence
98% confidence
Finding
The description explicitly references scanning 'behavior, desires, tastes,' which implies inferring intimate personal attributes and preferences without any documented opt-in or safeguards. In the context of a journaling/summarization skill, this makes the issue more dangerous because the feature is framed as routine background note-taking, which could normalize covert profiling of highly sensitive user traits.

Missing User Warnings

High
Confidence
99% confidence
Finding
The code harvests chat history from local databases and later writes message excerpts into generated notes without any explicit user warning, consent flow, or redaction step. This transforms transient or semi-private conversations into durable plaintext artifacts, increasing the chance of accidental disclosure, syncing, or later misuse.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill reads drafts, memory notes, behavior, desires, tastes, and preference files, then copies portions of their content into generated notes. These categories are highly sensitive and can include personal intentions, unpublished writing, credentials, or private preferences, making the aggregation especially dangerous when done silently.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Reading configuration and writing note files are not inherently unsafe, but doing so without clear user-facing disclosure is problematic because configuration may contain sensitive operational details and the output creates a new persistent artifact. In this skill, those file operations are part of a broader silent data aggregation workflow, which raises the risk materially.

Ssd 3

High
Confidence
98% confidence
Finding
The skill is designed to collect and summarize broad private data sources into notes, including chat history, memory, drafts, and behavior/desire files, which materially increases aggregation risk. Even if intended for productivity, centralizing these sources into a single report creates a high-value sensitive artifact and can expose secrets, personal content, operational details, or psychological profiling information.

Ssd 3

High
Confidence
97% confidence
Finding
The cron example encourages unattended recurring execution of a workflow that scans sensitive local sources and produces summarized notes, increasing the likelihood of silent ongoing collection and accumulation of private data. Automation makes the behavior more dangerous because users may forget it is running while new sensitive chats, drafts, or configs continue to be harvested over time.

Ssd 3

High
Confidence
97% confidence
Finding
The skill is designed to collect and summarize highly sensitive user-derived data, including chat history, preferences, desires, and drafts, into consolidated notes. Centralizing these data increases exposure by creating a new durable artifact containing sensitive excerpts and inferred personal information that could be accessed by other tools, users, or future processes.

Ssd 3

High
Confidence
98% confidence
Finding
These instructions direct the system to query chat databases and read memory, behavior, and draft files, then summarize their contents into notes. This is dangerous because it operationalizes bulk access to multiple sensitive repositories and republishes their contents into another location, expanding the attack surface and risk of privacy leakage.

Ssd 3

High
Confidence
99% confidence
Finding
The documented output format explicitly includes previews and excerpts from chat messages, memory files, drafts, and behavior files. This is dangerous because sensitive content is not merely analyzed transiently but persisted in human-readable notes, making accidental disclosure, backup propagation, and later unauthorized reuse much more likely.

Ssd 3

High
Confidence
97% confidence
Finding
The module-level description explicitly frames the skill as collecting broad categories of user context, including chats, behavior, desires, tastes, and drafts, to produce summaries. In context, this is not just descriptive text: it accurately reflects a design that aggregates sensitive material into persistent notes, which is a semantic privacy and data-exposure risk.

Ssd 3

High
Confidence
99% confidence
Finding
This section implements chat-history harvesting from Cursor databases and normalizes message content for later inclusion in notes. Even with truncation, it operationalizes cross-application collection and reproduction of potentially sensitive conversations, creating a direct semantic data leak into a new location under the workspace.

Ssd 3

High
Confidence
99% confidence
Finding
The daily note generator intentionally includes excerpts from chats, memory files, drafts, and preference-related files in a single consolidated document. That aggregation amplifies sensitivity because it combines multiple private data sources into one easy-to-find plaintext summary that may be backed up, synced, or shared inadvertently.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal