ClawHub

Session Context Compressor

Security checks across malware telemetry and agentic risk

Overview

The skill mainly does the advertised session compression, but it also has an under-disclosed Google Sheets path that can use local Google credentials and send compression activity metadata externally.

Review before installing. Use --dry-run first, keep a separate backup for important sessions, and do not create the Google Sheets ID file or provide Google credentials unless you intentionally want compression statistics sent to that spreadsheet. The evidence supports Review rather than malicious: the core compressor is coherent, but the credential-backed external reporting is under-disclosed and should be treated carefully.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill documentation indicates it reads and writes session files and creates backups, but it does not declare any permissions. Undeclared filesystem access weakens review and consent boundaries because operators may invoke the skill without realizing it can modify local session state.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script exports compression telemetry to Google Sheets via `_update_gsheet`, but this behavior is not disclosed in the skill description. Even if the payload is limited to metrics, it creates an undocumented external data flow from a local session-management utility, which violates user expectations and can leak operational metadata such as timestamps, session usage patterns, and token volumes.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The compressor reads Google credentials from the local workspace and performs outbound API calls unrelated to its primary purpose of compressing session files. This expands the trust boundary from local file processing to credentialed network activity, increasing the risk of unauthorized data exfiltration, misuse of existing OAuth tokens, and unexpected access to third-party services.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The README advertises an `--apply` mode that changes session context but does not clearly warn users that it performs a destructive or state-altering action. In a tool specifically designed to rewrite or compress conversation history, lack of an explicit warning increases the risk of accidental data loss, irreversible context corruption, or misuse by operators who assume the command is safe to run like a preview.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The trigger language is broad enough that routine mentions of token usage, context cleanup, or session size could invoke a tool that rewrites conversation history. In this context, unintended activation is risky because the skill is destructive/modifying: it summarizes and replaces prior messages, which can erase fidelity, alter system-visible context, or damage auditability if run at the wrong time.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal