ClawHub

Ctxkeeper

Security checks across malware telemetry and agentic risk

Overview

Ctxkeeper is a local logging helper that persistently saves user-provided entries on the device, with some documentation mismatch but no evidence of network exfiltration, credential access, privilege escalation, or destructive behavior.

Install this only if you want a local activity/context logging helper. Treat anything you enter as persistent local data that may later appear in recent or search results, avoid secrets or sensitive conversation text, and manually remove `~/.local/share/ctxkeeper/` if you need to clear saved entries. Also verify the installed `ctxkeeper` command points to this reviewed script, since the package does not define an install mechanism.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The skill’s declared purpose is conversation-context save/load/prune, but the documented behavior is a generic operational logger that persists arbitrary user inputs across many unrelated categories and supports search/export. This mismatch is dangerous because users or orchestrators may invoke it expecting bounded context management, while it instead stores potentially sensitive prompts or operational data to disk without a clear consent boundary or matching controls.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The manifest and top-level description frame the skill as context management, but the body documents a broad logging toolkit with unrelated commands such as run, analyze, generate, compare, export, and stats. In agent environments, this semantic mismatch can cause over-broad invocation and covert retention of user content under a misleading label, increasing the chance of inappropriate handling of sensitive conversation data.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The documented commands do not provide the save/load/prune session-management behavior promised by the manifest; instead they record arbitrary entries and expose them through recent, search, stats, and export-style operations. This creates a trust and safety issue because callers may rely on advertised context controls that do not exist, while sensitive inputs are instead accumulated in logs with broader access patterns.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Export capability and broad operational activity logging are not justified by the stated purpose of preserving conversation context, and they expand the exposure surface of whatever users enter. Even if local-only, search and export make it easier to aggregate and exfiltrate sensitive prompts, secrets, or operational notes that users may not realize are being durably stored.

Context-Inappropriate Capability

High
Confidence
88% confidence
Finding
The skill exposes many unrelated commands despite being presented as a context-management tool, which expands the attack surface and creates deceptive capability scope. In agent settings, this mismatch can trick operators or upstream systems into invoking a tool with broader data-handling behavior than expected, increasing the risk of unintended persistence and misuse of sensitive conversational input.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The help text claims that 'export' and 'status' are dedicated functional commands, but due to earlier duplicate case arms they instead act as generic log-writing operations. This kind of command shadowing/deception is dangerous in agent workflows because users may believe they are retrieving status or exporting data when they are actually appending potentially sensitive input to persistent logs.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The invocation language is broad and generic enough to overlap with many ordinary requests about preserving context, tracking activity, or reviewing history. In a skill-routing setting, that increases the likelihood the skill is selected for sensitive conversations and then persists arbitrary content to local logs under a misleadingly safe-sounding context-management label.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation says data is stored under ~/.local/share/ctxkeeper/ but does not clearly warn that user-provided command inputs are persistently logged to local files. This is dangerous because users may enter secrets, private conversation excerpts, or regulated data believing the skill manages transient context, when in fact it creates durable local records that can later be searched or exported.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
User-provided input is silently and persistently written to local files under ~/.local/share/ctxkeeper without meaningful notice in the help text. In a context-handling skill, inputs are likely to include prompts, secrets, tokens, or sensitive conversation fragments, so undisclosed retention materially increases confidentiality risk.

Ssd 3

High
Confidence
99% confidence
Finding
The script persistently records arbitrary user input across multiple commands and later re-exposes it through recent/history views and export functions. In the skill's context, this is especially dangerous because conversation-management tools commonly process sensitive prompts, credentials, private messages, and internal context, turning the tool into an unbounded local data sink and disclosure mechanism.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal