ClawHub

Trivia Quiz

Security checks across malware telemetry and agentic risk

Overview

This is a local trivia and study helper; its main risk is that it keeps notes and command history on the user's machine.

Use this for ordinary study notes and quizzes, but avoid saving passwords, API keys, private work notes, or sensitive personal information. If you do not want retained history, redirect or delete the local trivia-quiz data directory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill presents itself as a trivia/learning assistant but quietly creates a persistent data directory and logs user activity/history to local files. This is a real privacy and transparency issue because users may provide study topics or notes assuming they are ephemeral, while the script stores them without clear notice or consent.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The skill persists notes, flashcards, and a full command history to local files, which can expose sensitive study content or activity patterns to other local users, backups, or endpoint monitoring tools. While this is not remote compromise, insufficiently prominent disclosure of retained data can create privacy and confidentiality risk, especially if users store personal, academic, or work-related notes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Command history is written to disk without any user-facing warning, which can expose sensitive learning topics, interests, or pasted material to other local users, backups, or forensic review. In a study tool, users may reasonably input personal or confidential notes, making silent persistence more dangerous in context.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The note command appends arbitrary user-provided content directly to a persistent local file without explicit disclosure. Users may store sensitive material such as study answers, credentials copied by mistake, or personal notes, and silent persistence increases the risk of privacy leakage and unintended long-term retention.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal