ClawHub

Bookmark Intelligence

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its bookmark-analysis purpose, but it needs Review because it handles live X session cookies, can run persistently, sends and stores bookmark-derived data, and contains under-scoped shell/payment/privacy risks.

Install only if you are comfortable giving the skill reusable X session cookies and letting it automatically fetch, analyze, and retain bookmark-derived content. Treat .env as a password file, avoid daemon mode unless you want continuous monitoring, review or disable LLM analysis if bookmarks may contain sensitive material, and be cautious with the payment/admin scripts and shell-based implementation until the unsafe command construction and privacy documentation are tightened.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (23)

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The README makes a strong privacy/security claim of 'No telemetry, no phone-home' while also documenting license checks, activation, payment processing, and admin/payment flows that imply outbound communication to external systems. Misleading users about network behavior is a real security/privacy issue because it can cause operators to run the skill in environments where external communication is prohibited or sensitive credentials are present.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The privacy statement is materially misleading: the skill requires X session cookies and necessarily transmits authenticated requests to X.com to read bookmark data. Even if the credentials are not sent to unrelated third parties, claiming they 'never leave your machine' can cause users to underestimate the sensitivity of the operation and consent without understanding account-access implications.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The claim 'No telemetry, no phone-home' conflicts with documented licensing, payment, email, and support workflows that imply network communication and potentially external validation. Such contradictions are dangerous because they undermine informed consent and can hide remote dependencies or outbound data flows users would otherwise scrutinize.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The code creates a temp filename using bookmark.id and then deletes it with execSync(`rm "${tempFile}"`), which invokes a shell. If bookmark.id can contain shell metacharacters such as double quotes or command substitutions, this can break out of quoting and lead to command injection during cleanup. In this skill's context, bookmark data originates from external content, so treating bookmark.id as fully trusted is unsafe.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The package presents itself as a bookmark monitoring and analysis tool, but its npm scripts expose unrelated administrative, licensing, payment, and revenue functions. This capability mismatch is suspicious because it expands the operational scope beyond the stated purpose and may enable hidden business/admin workflows or privileged actions that users would not reasonably expect from this skill.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The function accepts any key matching a simple tier prefix and 24 hex characters, while comments imply signature validation. This means an attacker can forge arbitrary PRO or ENT keys offline and unlock paid features without authorization, defeating the licensing model entirely.

Intent-Code Divergence

Low
Confidence
93% confidence
Finding
The code describes encrypted storage but uses reversible XOR with a machine-derived key, which provides little real confidentiality. Anyone with local access and knowledge of the machine ID derivation can recover or modify the stored license, enabling tampering or disclosure of license data.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The completePayment function marks any existing payment as completed and issues a license key without verifying a Stripe webhook, blockchain transaction, operator authorization, or any proof of payment. In this skill context, that directly enables free license issuance and fraudulent activation by anyone who can invoke the function or CLI with a known payment ID.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The checklist includes destructive `rm` commands that delete local files and recursively wipe a relative directory, but it does not provide an explicit warning about deletion risk, path validation, backups, or safe execution. In documentation for a distributable skill, this creates a real safety issue because users may run the commands verbatim and unintentionally delete data outside the intended scope if the working directory is wrong or the relative path resolves unexpectedly.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The installation guide instructs users to obtain X browser cookies and store credential material in a local .env file, but it does not warn that these cookies are sensitive session secrets that can enable account access if exposed. In a skill that processes external account data, normalizing cookie extraction without clear security guidance increases the chance of credential theft, unsafe sharing, or accidental disclosure.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The troubleshooting instructions tell users to run cat .env and describe the expected secret variable names, which encourages printing credentials directly to the terminal or logs without any warning. This creates a realistic path for accidental exposure through shell history, screen sharing, terminal recording, support transcripts, or copied output.

Missing User Warnings

Medium
Confidence
73% confidence
Finding
The file documents credential entry, cookie extraction, daemonized background execution, and uninstall flows without giving a clear warning in the same section about privacy, persistence, and system-level effects. In a skill that handles authentication material and long-running processes, missing upfront warnings can lead users to disclose sensitive tokens or run persistent monitoring without fully informed consent.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The payment instructions explicitly ask users to include an email address or Telegram handle in the transaction memo/note, but do not warn that memo fields can be permanently recorded, publicly visible, and linkable to a wallet address. This creates a privacy and deanonymization risk by tying contact information to on-chain activity, which can enable profiling, spam, harassment, or targeting of users.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill is presented as automatically monitoring bookmarks, fetching linked articles, analyzing content, and storing results, but the README does not prominently warn users about continuous network access, collection of bookmark-derived content, and local retention of analyzed material. In a tool that processes personal bookmarks and potentially authenticated X access, inadequate disclosure increases the risk of privacy harm, unexpected data collection, and unsafe deployment assumptions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs users to manually extract live X session cookies and place them into a local file, effectively converting browser session secrets into reusable application credentials. Although the document notes the cookies are sensitive, it does not sufficiently emphasize the security tradeoff of granting ongoing account access to a background process that monitors bookmarks and may process linked content automatically.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The checklist instructs users to delete local configuration and bookmark data, including a recursive wipe of a bookmarks directory, without an explicit warning about data loss, scope verification, or backup steps. In a testing document, this is dangerous because users may run the commands in the wrong directory or against real data and irreversibly destroy local state.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The checklist tells users to inspect sensitive files and git state but does not warn them not to print, share, or copy credential contents. Even though the command shown is `ls -l .env` rather than `cat .env`, the surrounding document elsewhere normalizes viewing files directly, and the lack of handling guidance increases the chance of credential exposure during troubleshooting, screen sharing, or logging.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code sends bookmark text, author metadata, engagement data, and fetched third-party URL content to an external LLM CLI without any visible consent, notice, redaction, or policy gating beyond license tier. This creates a real data exposure risk because bookmarked content may include private, sensitive, or proprietary information, and fetched URLs can expand the amount of transmitted data well beyond what the user expects.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill writes full bookmark content to a temp JSON file on disk before analysis, which may include sensitive private research, account data, or other user-derived content. Even if intended as an implementation detail, local plaintext persistence increases exposure through backups, other local users, malware, or crash leftovers if cleanup fails.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code permanently stores raw bookmark data together with analysis output in a local storage directory without any retention controls or explicit consent flow. This creates a durable archive of potentially sensitive content and metadata, increasing privacy and breach impact if the host is compromised or shared.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The code stores payment records, including user email and later-issued license keys, in a local JSON file without any notice, minimization, access controls, or retention protections. If the host is multi-user, backed up insecurely, or the skill directory is exposed, this creates unnecessary privacy and confidentiality risk even if it is not a remote code exploit.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The setup wizard transmits highly sensitive X/Twitter session cookies to an external command for live verification, but it does not present a clear just-in-time warning immediately before network use or obtain explicit consent for that transmission. In this skill's context, the cookies function like account credentials, so sending them over the network increases exposure if the CLI, endpoint, logs, process inspection, or surrounding environment are compromised.

Missing User Warnings

Low
Confidence
76% confidence
Finding
The wizard collects user project and interest data, then writes it to config.json without a clear disclosure at the time of persistence that this personal profiling context will be stored locally. While lower severity than credential handling, this can still expose sensitive work, startup, or personal interest information to other local users, backups, or accidental commits.

VirusTotal

52/52 vendors flagged this skill as clean.

View on VirusTotal