ClawHub

Oven

Security checks across malware telemetry and agentic risk

Overview

This appears to be a local logging/export skill whose privacy risks come from saving and duplicating user-entered notes, not from hidden network transfer or destructive behavior.

Install only if you are comfortable with the skill saving your entered notes locally and creating plaintext exports on request. Avoid entering sensitive schedules, personal details, or security-related household information unless you know where the files are stored and how to delete them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script stores arbitrary user-provided text to persistent log files under the user's home directory without clearly warning that data will be retained on disk. In this context, users may enter schedules, inventory notes, or other household details assuming ephemeral handling, which creates avoidable privacy exposure if the account or workstation is later accessed by others.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The export function aggregates all stored logs into new json/csv/txt files without any warning that potentially sensitive historical data will be duplicated into another artifact. This increases the attack surface because exported files are easier to share, back up, or leave behind unintentionally, especially in plain text and CSV formats.

Ssd 3

Medium
Confidence
89% confidence
Finding
The tool is designed to persist and later export arbitrary free-form user input across many commands in plain language, which materially raises privacy risk even though there is no network exfiltration. Within this skill's context, users are likely to store household routines, schedules, maintenance notes, and similar information that can become sensitive when centrally collected and searchable.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal