ClawHub

Smart Model Selector

Security checks across malware telemetry and agentic risk

Overview

This model-routing skill appears legitimate, but it can keep local task history that may include prompt text.

Install only if you are comfortable with a local model-routing helper reading the first task message and potentially saving it in a local SQLite database. Avoid using it with secrets, private code, or personal data unless you are prepared to delete the skill's data/model_selection.db file or add your own redaction and retention controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The component persistently stores full task text, task hashes, ratings, timing, token consumption, and completion state in a local SQLite database. For a model-routing utility, retaining raw prompts and interaction metadata creates unnecessary data exposure risk because prompts may contain secrets, personal data, or proprietary content, and the storage is not minimized, protected, or disclosed.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The code logs task content and user interaction history in a durable database even though the stated purpose is model selection, and the feature does not appear strictly necessary in its current raw form. This violates data minimization principles and increases the blast radius if the host is compromised, logs are inspected, or the database is reused by other components.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README explicitly says the skill records conversation outcomes, task characteristics, and stores data locally, but it does not clearly disclose retention period, exact fields collected, sensitivity risks, or how users can inspect/delete the data beyond a reset command for the current task. In a model-routing skill, task content may contain sensitive prompts, code, credentials, or personal data, so silent persistence creates a real privacy/security risk even if storage is only local.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The manifest subscribes to both agent bootstrap and generic command events without any visible scoping, filtering, or activation constraints. That gives the skill an unnecessarily broad execution surface, increasing the chance it runs on unrelated workflows, intercepts sensitive context, or influences command handling more often than intended.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Task text is saved to disk through start_task/complete_task flows without any user-facing notice, consent, or API-level safeguard indicating that prompts will be retained. Because agent tasks often contain confidential instructions, credentials, internal code, or personal data, undisclosed persistence materially increases privacy and compliance risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal