ClawHub

Contact Book

Security checks across malware telemetry and agentic risk

Overview

This is a local contact-book tool that saves contact notes in readable local files, with no evidence of network transfer or hidden privileged behavior.

Use this only for contact details you are comfortable storing locally in plain text. Avoid passwords, secrets, or highly sensitive personal notes, and remember that exports create another readable copy of the same data under ~/.local/share/contact-book.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill encourages storing sensitive personal data such as names, emails, relationship notes, reminders, and interaction history, yet does not prominently warn that everything is saved in local plain-text log files. This increases the risk of accidental exposure through local compromise, backups, shared accounts, endpoint indexing, or careless export of contact data.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The script persists arbitrary user input into local log files under ~/.local/share/contact-book without an explicit disclosure at the point of collection. In the context of a tool presented as handling personal contacts and relationship tracking, users may enter sensitive personal data, creating privacy risk if the device is shared, backed up, or later accessed by other software.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The export command aggregates all stored entries and writes them to a new file on disk without warning the user that potentially sensitive contact or relationship data will be materialized in another format. This increases exposure because exported files are easier to share, index, sync, or accidentally disclose than the original logs.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal