ClawHub

Folder Organizer

Security checks across malware telemetry and agentic risk

Overview

This folder-organizing skill uses broad filesystem access, but its scanning, reporting, and optional file moves are disclosed, purpose-aligned, and guarded by dry-run and confirmation requirements.

Install only if you want an agent to inspect folder paths and metadata and generate organization reports. Before applying changes, review the dry-run plan, confirm the exact target folder or disk, prefer sandbox mode for first-time cleanups, and do not approve moves or copies for sensitive folders unless you have checked the plan.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill explicitly instructs use of scanning scripts, report generation, and potential file moves/log writes, which implies file_read and file_write capabilities, yet no permissions are declared. This creates a transparency and governance gap: an agent/operator may invoke file access beyond what reviewers expect, especially because the skill targets broad filesystem locations such as disks, download folders, and workspaces.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The default prompt is broad and maps to a very common user need, which increases the chance of implicit or automatic invocation in situations where the user did not explicitly request this specific skill. Because the skill can scan and reorganize folders or disks, an overly generic trigger can lead to unintended access to large amounts of local data and unintended file operations.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal