ClawHub

Popover

Security checks across malware telemetry and agentic risk

Overview

This skill is advertised as a popover UI generator, but the included script is actually a local entry manager that stores, deletes, searches, and exports user-provided text.

Install only if you intentionally want a simple local text-entry manager, not a popover UI generator. Avoid storing secrets or sensitive notes, check ~/.popover or POPOVER_DIR for retained data, and be careful with export because it writes files into the current working directory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The skill advertises itself as a popover/UI generator, but the documented commands describe a local data-management CLI that stores, searches, removes, exports, and configures user data. This mismatch is dangerous because users or downstream agents may invoke it under false assumptions, leading to unintended file writes, data persistence, exports, or destructive changes in the user's environment.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The manifest and top-level documentation frame the skill as a frontend/UI design helper, while the command set behaves like a generic persistence and record-management utility. In an agent setting, deceptive capability descriptions can cause the skill to be selected in inappropriate contexts, increasing the chance of unauthorized data handling or filesystem changes that the user did not expect.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The purpose statement says the skill generates visual popover components, but the documented operations are CRUD-like commands over stored entries and local files. This contradiction undermines informed consent and safe tool routing, making the skill more dangerous because its operational footprint is broader and materially different from what the user is told.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script’s declared purpose is generating popover UI/design assets, but its actual behavior is a persistent local record-management tool. This capability mismatch is dangerous because it can mislead users and higher-level agents into supplying arbitrary input that gets stored and managed on disk under false pretenses, which is a classic sign of deceptive functionality.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The script creates a persistent data directory and appends user-provided content to a JSONL file even though that behavior is not justified by a UI asset generator. In the context of an agent skill, unjustified persistence increases the risk of collecting sensitive prompts, design content, or user data without informed consent.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The header comments and help text repeatedly claim design/popover generation, but the exposed commands implement status, add, list, search, remove, export, and config operations over a local datastore. This deception increases risk because reviewers and users may trust and invoke the skill in contexts where hidden data-handling behavior would be unacceptable.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation exposes commands that add, remove, export, and reconfigure local data without warning users about persistence, overwrite risk, deletion effects, or where files are written. Even if these are legitimate features, the lack of safety notice increases the chance of accidental data loss, unintended disclosure through exports, or silent modification of local state.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script silently logs user-provided entries to a persistent file under the user’s home directory without clear advance disclosure in the help text. This is dangerous because users may enter sensitive content assuming it is transient, while the skill retains it on disk for later listing, searching, or export.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal