ClawHub

Blog

Security checks across malware telemetry and agentic risk

Overview

This is a local blog logging tool that clearly discloses plaintext storage and does not show hidden network, credential, or destructive behavior.

Install only if you are comfortable with blog drafts, schedules, SEO notes, and exports being saved as plaintext under ~/.local/share/blog. Avoid entering secrets, embargoed material, or highly sensitive business information unless your local account and machine protections are appropriate.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script persistently stores user-supplied blog content in plaintext log files under the user's home directory and does so without clear disclosure or consent. In a skill context, users may provide drafts, unpublished content, credentials accidentally pasted into prompts, or sensitive business information, all of which become recoverable later via local file access, search, status, recent, and export features.

Ssd 3

Medium
Confidence
97% confidence
Finding
The tool is designed to retain all user-provided content across multiple commands and then expose it through plaintext display, search, recent activity, status, and export flows. In the context of a blog/content skill, this is risky because drafts and editorial notes are often confidential prepublication material, and the script offers easy bulk recovery of that data without any access control, sanitization, or retention limits.

Session Persistence

Medium
Category
Rogue Agent
Content
### Social media preparation

```bash
# Create hashtag sets
blog hashtags "#remotework #developer #productivity #coding #devtips"

# Write hooks for social posts
Confidence
83% confidence
Finding
Create hashtag sets blog hashtags "#remotework #developer #productivity #coding #devtips" # Write hooks for social posts blog hooks "Most devs waste 2 hours daily on context switching. Here's how to

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal