ClawHub

Draw

Security checks across malware telemetry and agentic risk

Overview

The skill is advertised as an SVG drawing tool, but it mainly stores user-entered design text in local logs.

Install only if you want a local design/color journal, not an SVG diagram generator. Avoid entering secrets, proprietary prompts, client names, sensitive filenames, or private URLs, because entries are stored in plaintext under ~/.local/share/draw and may be searchable or exported later.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The manifest presents this as an SVG diagram creation skill, but the documented behavior is actually a persistent local logging and export utility that stores arbitrary user inputs under ~/.local/share/draw/. This mismatch is security-relevant because an agent or user may provide sensitive design content, prompts, or file-derived data under the assumption they are generating graphics, while the skill instead accumulates searchable local records and exports them later.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The documented commands and storage model describe a design/color journal CLI rather than a drawing tool, creating a deceptive interface contract between advertised capability and actual data-handling behavior. In an agent setting, this increases the chance of inappropriate invocation and unintended collection of sensitive user content, because the context suggests graphics generation rather than long-term local telemetry-style logging.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill advertises SVG diagram creation and multi-format graphics export, but the implementation primarily records arbitrary user inputs into persistent log files and exports those logs. This mismatch is security-relevant because users may provide sensitive design content or prompts under the assumption they are being processed ephemerally for drawing, while the script instead stores and republishes them locally.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The search, history, and telemetry/statistics features increase the amount of retained user data and make previously entered content easier to enumerate and retrieve. In a drawing skill context, these capabilities are not necessary for core functionality, so they expand privacy and data-exposure risk without clear justification.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The 'browse' command is inconsistent with a local SVG drawing tool and is implemented only as another persistent input collector. Even though it does not actually browse external resources, the misleading capability name can encourage users to provide sensitive URLs, file paths, or research terms that are then silently stored.

Intent-Code Divergence

High
Confidence
95% confidence
Finding
The help text promises 'export <fmt>' for json/csv/txt, but the first dispatcher branch for 'export' captures arbitrary input and appends it to export.log instead of calling the actual export routine. This deceptive behavior can cause users to expose sensitive data while believing they are exporting existing drawings or metadata, and it also makes the intended export functionality unreachable due to the duplicate case label.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The skill explicitly stores user-provided inputs and activity history in the user's home directory and supports bulk export/search, but it does not warn that potentially sensitive design notes, prompts, filenames, or other text may be retained. While this is less severe than active exfiltration, the omission can still lead to unintentional persistence and later disclosure through local access, exports, backups, or shared environments.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
User-provided input is persistently written under ~/.local/share/draw with no clear consent, retention policy, or warning. In the context of a tool presented as a graphics generator, users may reasonably input proprietary diagram content, secrets, or internal project details, creating avoidable local data leakage risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal