ClawHub

The Synthetic Context Generator

Security checks across malware telemetry and agentic risk

Overview

SCG appears to be a purpose-aligned coding context tool, but it can read user-selected project files and send task keywords to StackOverflow, so use it carefully with sensitive work.

Treat this as a local developer CLI: verify the source before npm install/npm link, run it on narrow directories, avoid secrets in task prompts or indexed files, review generated context before sharing it with an AI assistant, and use --no-web for sensitive tasks.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI04: Agentic Supply Chain Vulnerabilities
Low
What this means

Installing and globally linking a package gives it local code execution as a CLI under the user's account.

Why it was flagged

The skill is packaged as a Node CLI that users install and link globally, while registry metadata does not provide a formal install spec/source. This is purpose-aligned but makes provenance review important.

Skill content
git clone https://github.com/captainsvbot/The-Synthetic-Context-Generator.git
cd The-Synthetic-Context-Generator
npm install
npm link  # Make 'scg' available globally
Recommendation

Install only from a repository/package you trust, review package.json and lockfile, and avoid running npm link from an unverified checkout.

#
ASI06: Memory and Context Poisoning
Low
What this means

Private project snippets may appear in the generated context and then be shared with whatever AI workflow consumes that output.

Why it was flagged

When the user supplies a project path, the tool reads and indexes matching local files into context chunks. This is central to the skill, but those chunks may contain private code or secrets if the chosen path is broad.

Skill content
const content = fs.readFileSync(fullPath, 'utf-8'); ... fileIndex.push({
            file,
            path: fullPath,
            chunk: i,
            content: chunk
Recommendation

Use narrow project paths, keep secrets out of indexed files, and review the generated context before pasting or sending it elsewhere.

#
ASI07: Insecure Inter-Agent Communication
Low
What this means

Sensitive task descriptions included in the goal could be sent to StackExchange as search query text.

Why it was flagged

The tool sends the parsed goal/keywords to StackOverflow by default for web results. This is disclosed and purpose-aligned, but it is still an external data flow.

Skill content
const STACKOVERFLOW_API = 'https://api.stackexchange.com/2.3/search/advanced'; ... const soResponse = await fetch(`${STACKOVERFLOW_API}?${soParams}`);
Recommendation

Avoid putting secrets or proprietary details in the goal, or use the documented --no-web option for sensitive work.