ClawHub
Back to skill

Security audit

Calctool

Security checks across malware telemetry and agentic risk

Overview

CalcTool is advertised as a calculator, but its artifacts describe and implement a local plaintext activity logger for arbitrary user inputs.

Only install this if you want a local activity logbook, not a real calculator. Avoid entering secrets, account data, private financial figures, customer information, or proprietary notes unless you are comfortable with them being saved under ~/.local/share/calctool and later searchable or exportable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The manifest advertises a calculator, but the body describes a general-purpose local logging utility. That semantic gap can mislead users and calling agents into supplying sensitive content that becomes part of a searchable local archive, which is materially different from a transient calculator.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Persistent activity logging and audit-trail features are not justified by the stated calculator use case and create unnecessary retention of potentially sensitive inputs. Even without network exfiltration, local persistence increases exposure to other local users, backups, malware, and accidental disclosure through search/export features.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The top-level description frames the skill as computation-focused, while the detailed content describes a data-entry logging and management toolkit. In agent ecosystems, this kind of mismatch can lead to unintended invocation and trust-based misuse, especially when users expect mathematical evaluation rather than broad collection and management of entered content.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The implementation materially diverges from the declared calculator purpose and instead exposes a broad generic logging/toolkit interface. This kind of capability mismatch is dangerous because users and orchestrators may grant trust or provide sensitive calculation inputs under false assumptions, while the tool actually collects and stores arbitrary text.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script includes data management, reporting, search, recent-history, and export capabilities that are not necessary for a calculator. Unnecessary breadth increases attack surface and enables collection, retention, and disclosure of user-provided content beyond the expected use case.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The help text explicitly presents the program as a general 'utility toolkit' with many broad commands, contradicting the calculator identity advertised to users. Misleading identity is security-relevant because it can disguise data collection or broader capabilities behind a benign-seeming skill label.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The broad description ('run, check, convert, analyze, generate, preview, batch, compare, and manage data entries') makes the tool appear generally useful far beyond calculation, which increases the chance an agent or user invokes it for unrelated sensitive workflows. That broad surface area amplifies the privacy risk because arbitrary content may be logged and retained.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill description does not adequately warn, at the point of first impression, that all command inputs are timestamped and stored persistently. Users choosing a calculator are unlikely to expect durable logging, so the omission materially undermines informed consent and can lead to accidental retention of secrets, financial data, or personal information.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The script writes user input verbatim into persistent log files under the user's home directory without explicit notice or consent. In a calculator context, users may enter financial figures, account values, formulas, or other sensitive data, so silent retention creates a privacy and data-exposure risk on shared systems or through backups and later exports.

Ssd 3

Medium
Confidence
94% confidence
Finding
The documentation explicitly instructs logging all user-provided inputs and making them reviewable, which normalizes broad retention of arbitrary content without sensitivity boundaries. This is risky because user inputs to a supposed calculator may include confidential numbers, account data, internal notes, or other secrets that become searchable artifacts.

Ssd 3

Medium
Confidence
93% confidence
Finding
Encouraging persistent storage and later retrieval across commands creates a cross-session memory mechanism that can expose prior sensitive entries well beyond the original task context. This persistence is especially concerning because the skill is not framed as a note-taking or records-management tool, so users may not anticipate durable recall.

Ssd 3

Medium
Confidence
92% confidence
Finding
The examples normalize searching, reviewing, and exporting all logged data without discussing sensitivity limits or access controls. That encourages use patterns where broad data collections are treated as harmless, increasing the chance of accidental disclosure or inappropriate retention of confidential material.

Ssd 3

Medium
Confidence
99% confidence
Finding
The tool persistently stores all submitted inputs in plaintext, re-displays them via recent/status/search flows, and exports them in multiple formats. This substantially increases the chance of inadvertent disclosure of sensitive user data and is made more dangerous by the misleading calculator branding, which lowers user suspicion that inputs are being archived.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.