ClawHub

Codesession

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a disclosed local cost and activity tracker for agent sessions, with no artifact evidence of hidden exfiltration or destructive behavior outside its stated purpose.

Install this only if you want agents to keep a local record of session costs, AI usage, changed files, commits, notes, and related analytics. Review the npm package before global installation, avoid using it in repositories where filenames or commit metadata are sensitive unless that local tracking is acceptable, and export any records you need before using the dashboard's Start Fresh reset.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill repeatedly instructs agents to always start tracked sessions and states that file changes and git commits are tracked automatically, but it does not provide a clear privacy warning or consent guidance before collecting repository activity metadata. In an agent context, this can lead to unintentional collection and retention of sensitive project information such as filenames, commit metadata, and work patterns in a local database and dashboard.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The documented dashboard includes a 'Start Fresh' reset feature but does not warn that it deletes prior session history. Users or agents may invoke it without understanding the destructive effect, causing loss of audit, cost, and activity records that may be needed for accountability or debugging.

VirusTotal

50/50 vendors flagged this skill as clean.

View on VirusTotal