ClawHub

Palest Ink - Activity Tracker

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed local activity tracker, but it installs broad always-on monitoring and global Git hooks that users should review carefully before use.

Install only if you explicitly want continuous local monitoring of your browsing, shell commands, editor activity, app/window titles, file changes, and Git activity. Before installing, review the config, disable collectors you do not need, narrow watched directories and exclusions, and be aware that global Git hooks and a LaunchAgent will run in the background until uninstalled.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (25)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill invokes shell commands, reads sensitive local files, and instructs the user to run an installer, yet no explicit permission model or safety gating is declared. Because the skill handles highly sensitive activity data and can trigger installation and cleanup actions, the missing permission disclosure increases the risk of unauthorized data access or destructive actions being taken without clear user understanding.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The stated purpose is activity recall, but the documented behavior expands into persistent background collection, git configuration changes, app/window surveillance, webpage content capture, filesystem monitoring, and data deletion. This gap is dangerous because users may invoke a seemingly simple reporting skill without realizing it installs long-running collectors, changes global developer settings, and captures substantially more data than implied.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The cron entry point executes `collect_fsevent.py`, which gathers filesystem event data, but the skill metadata only describes tracking git commits, browsing, shell commands, and VS Code edits. This creates a capability/manifest mismatch that can expand collection beyond what users and reviewers reasonably expect, increasing privacy risk and undermining informed consent.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The installer changes Git's global core.hooksPath, causing its hook scripts to run across all repositories for the user, not just repositories associated with this skill. That broad scope creates cross-repository surveillance and can interfere with existing developer workflows or security tooling, especially because it silently overrides prior behavior.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The script installs and loads a persistent launchd agent that runs every 15 seconds, enabling continuous background collection. For an activity-tracking skill this behavior is functionally related, but it still materially increases surveillance scope and persistence beyond a one-time install unless the user clearly opts in.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The installer checks access to Safari history and instructs the user to grant Full Disk Access and Accessibility, both of which are powerful macOS privacy permissions. For a tool that records browsing, app focus, and activity, these permissions may be useful, but requesting them expands access to highly sensitive data and should be tightly justified and minimized.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The schema explicitly documents collection of app focus/window titles and filesystem change activity that go beyond the skill's stated user-facing purpose of recalling commits, browsing, shell commands, and VS Code edits. Expanding telemetry scope without clear disclosure or tightly justified need increases privacy risk because it captures broader behavioral and potentially sensitive context than users would reasonably expect.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The report generator goes beyond passive activity recall by inferring relationships between browsing history and subsequent git commits, effectively deriving user intent and research topics from separate telemetry sources. In an activity-tracking skill, this increases privacy sensitivity because it can reveal project goals, investigative interests, or confidential work themes that were never explicitly recorded as a single event.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README promotes broad, continuous collection of highly sensitive local activity data including browser history with page content summaries, shell commands, edited files, app focus, and git activity, but it does not present a prominent up-front warning about the privacy and security implications before installation. Even if data remains local, aggregating this volume of behavioral data creates a high-value surveillance log that can expose credentials, proprietary code context, sensitive research, and personal activity if misconfigured or accessed by another process or user.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger conditions are broad enough to activate on common requests about recent work or browsing, which can cause the skill to access sensitive local activity records when the user may not expect that level of data retrieval. In the context of a skill that handles shell history, browsing history, app focus, and file changes, overbroad invocation materially raises privacy risk and the chance of unintended disclosure.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill accesses extremely sensitive local telemetry including browsing history, shell commands, application focus, and file modifications, but it does not present an upfront privacy warning or consent notice at the point of use. This is dangerous because users may unknowingly expose credentials, confidential project names, internal URLs, or personal behavior patterns simply by asking for a summary of their recent activity.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This collector records the foreground application and window title to persistent disk storage, which can reveal highly sensitive user activity such as visited sites, document names, chats, tickets, or secrets embedded in titles. In an activity-tracking skill, this is especially risky because the behavior is broad, continuous, and not accompanied in this file by any user-facing notice, consent flow, minimization, or retention safeguards.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This collector reads the user's Chrome History SQLite database and persists detailed browsing activity, including URLs, titles, timestamps, and visit duration, into ~/.palest-ink without any consent flow, notice, or access minimization. In the context of an activity-tracking skill whose purpose is to recall browsing history, the behavior is functional, but it still creates a substantial privacy and surveillance risk because highly sensitive browsing data is copied into a second datastore that may be easier to exfiltrate or access than the browser's own protected storage.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
This code automatically fetches recorded URLs and stores extracted page content into local activity logs, which can silently expand collection from simple browsing metadata into full-content capture of potentially sensitive pages. Even without obvious exfiltration, this increases privacy risk, can retain confidential information from internal sites or personal web sessions, and performs network access on previously visited URLs without any user-facing notice in this component.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The collector persistently writes detailed file activity records, including full file paths and inferred workspace/repository locations, to disk without any disclosure, consent, minimization, or access-control handling shown in this file. In the context of an activity-tracking skill, this is especially sensitive because it creates a durable surveillance log that can expose projects, secrets locations, client names, and personal work patterns.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The collector persistently stores commit metadata including repository paths, branch names, commit messages, file names, and timestamps under ~/.palest-ink/data. In an activity-tracking skill, that data can reveal sensitive project names, internal file structure, and work history; the absence of any in-file notice, consent flow, or data-minimization control increases privacy risk if a local attacker, another process, or the skill itself accesses these logs.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This collector reads Safari browsing history from the user's protected History.db and persists extracted visit data into ~/.palest-ink/data without any explicit runtime notice, consent prompt, or confirmation at the point of collection. Because browsing history is highly sensitive and can reveal credentials, health, finance, or other private activity, silent collection and long-term local storage increases privacy and disclosure risk, especially on shared systems or if the output directory is later accessed by another process or user.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This collector ingests the user's full shell history and persists commands into a separate local datastore, which can include secrets, access tokens, internal hostnames, private repository paths, and other highly sensitive operational data. In the context of an activity-tracking skill, this behavior is expected functionality, but it is still privacy- and security-sensitive because there is no visible consent, minimization, or protective control in this code path before collecting and storing the data.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This collector silently reads VS Code's recent file/workspace history and persists detailed local activity data, including file paths and inferred workspaces, to a separate datastore without any user-facing disclosure or consent flow in this file. That creates a privacy-sensitive surveillance capability: file paths, project names, and edit timing can expose confidential work, client names, repository structure, or personal activity, and the skill context is explicitly designed for long-term activity recall, which increases the sensitivity of the collected data.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This hook automatically logs repository paths, branch names, commit hashes, commit messages, changed files, and remote URLs on common Git events, and does so silently to a persistent local telemetry file under the user's home directory. In the context of an activity-tracking skill, this behavior is functional, but it still creates a real privacy and security risk because it captures potentially sensitive development metadata across repositories without in-script notice, consent flow, scoping, or filtering for secrets/internal project names.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The installer performs git config --global core.hooksPath without prior confirmation, which is a high-impact change to the user's global development environment. Silent modification of global settings removes informed consent and can unexpectedly redirect hooks for every repository the user works with.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script writes and loads a LaunchAgent for recurring execution without an upfront warning that the tool will run continuously in the background every 15 seconds. Even when related to the skill's stated purpose, hidden persistence materially changes user expectations and increases privacy risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The schema describes persistent storage of highly sensitive activity data including visited URLs with extracted content summaries/keywords, shell commands, app focus/window titles, and file paths, but provides no visible warning, consent, or privacy safeguards. In this skill context, the purpose is broad work-activity recall, which makes the collection plausible, but the combination of cross-source behavioral logging and content capture materially raises surveillance and data-exposure risk if users are not clearly informed and protected.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script can persist highly sensitive aggregated activity data, including browsing history, shell commands, file edits, and commit metadata, to a predictable location on disk with only a generic --save flag and no warning, consent flow, or permission hardening. Saved reports are easier to discover, exfiltrate, back up, or accidentally share than ephemeral console output.

Session Persistence

Medium
Category
Rogue Agent
Content
```

This will:
- Create `~/.palest-ink/` for storing activity data
- Write a default `config.json`
- Install git hooks globally (`post-commit`, `post-merge`, `post-checkout`, `pre-push`)
- Install a **launchd agent** that runs every 15 seconds (replaces cron)
Confidence
87% confidence
Finding
Create `~/.palest-ink/` for storing activity data - Write a default `config.json` - Install git hooks globally (`post-commit`, `post-merge`, `post-checkout`, `pre-push`) - Install a **launchd agent**

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal