ClawHub
Back to skill

Security audit

standard-book-learning

Security checks across malware telemetry and agentic risk

Overview

The skill has a coherent book-to-notes workflow, but it needs review because it embeds Neo4j credentials, can change a database, and its importer can report success without doing a real import.

Install only after replacing the hardcoded Neo4j password, using a least-privilege test database, reviewing generated Cypher before execution, and confirming you are comfortable with full book contents being written into local notes and graph data. Treat importer success messages as unreliable until the importer performs real database writes and real verification.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (11)

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The skill’s stated contract says it must not include note content, yet the configured script output exposes a `summary` field that can expand the scope from chapter extraction into derived content generation. That mismatch creates a data-governance and least-privilege problem: downstream systems or users may receive extra synthesized content containing sensitive details from the source document that the skill was not supposed to emit.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The relationship generator interpolates rel['type'] directly into the Cypher pattern as :{rel_type} without validation or allowlisting. Because relationship types are part of Cypher syntax rather than quoted string data, an attacker who controls this field can break query structure, inject additional clauses, or generate unintended graph mutations despite the script presenting itself as performing syntax validation.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly creates directories and writes or updates progress and summary Markdown files under fixed local paths, but it provides no explicit user-consent, confirmation, or warning that local data will be modified. In an agent setting, silent filesystem writes can overwrite user content, create unwanted artifacts, or be chained with unsafe path handling from downstream modules.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill directs generated data into a Neo4j instance and includes connection parameters, but it does not warn that an external database will be modified or require confirmation before import. Because the imported Cypher is derived from other modules' outputs, this can lead to unintended data corruption, pollution of an existing graph, or execution of unsafe queries if downstream generation is compromised.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This skill is designed to read entire local Word/PDF files and return full chapter contents, but it does not prominently warn users that highly sensitive local document data may be ingested and reproduced in output. In an agent context, that omission increases the chance of accidental over-collection and disclosure of confidential material from the local filesystem.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill performs write operations against Neo4j, including data import and index creation, but does not prominently warn that it will modify database contents and schema. In an agent setting, insufficient disclosure around destructive or state-changing actions increases the risk of unintended integrity impact, especially if invoked on the wrong database or with unreviewed batch content.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The document includes hardcoded credentials and describes authenticated network access to a database without any security warning. Embedded secrets are a real security issue because they can be reused by anyone with access to the skill file, enabling unauthorized database access and potential data modification or exfiltration.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs downstream use of a concrete local filesystem path (for example under F:\Obsidian\...) but does not warn the user that generated content may be written to disk. In an agent/tooling context, silent file writes can cause unintended data persistence, overwrite existing notes, or expose sensitive book/project names and content to local storage without informed consent.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The script writes progress and summary files directly into a fixed local Obsidian directory without obtaining explicit user confirmation or offering a dry-run mode. In an agent/skill context, silent filesystem modification is risky because it can unexpectedly alter user data, create clutter, overwrite existing content, or be chained with crafted book titles to affect unintended paths.

Missing User Warnings

Medium
Confidence
75% confidence
Finding
The coordinator forwards extracted chapter text and metadata to downstream components without any visible disclosure about whether those components may call external services or otherwise expose sensitive content. In a book-processing workflow, this can leak copyrighted, proprietary, or personal material if any downstream module performs remote inference, logging, or telemetry.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The embedded PowerShell script performs real authenticated HTTP POST requests to a Neo4j transaction endpoint using hardcoded credentials in plaintext. If reused, shared, or committed to source control, these credentials can expose the database to unauthorized access and allow modification of graph data without any confirmation, secret management, or user consent controls.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal