ClawHub

Trigger

Security checks across malware telemetry and agentic risk

Overview

This is a local productivity logging CLI that stores user-entered entries on disk, with documentation gaps but no evidence of hidden network access, credential use, destructive behavior, or background automation.

Install only if you are comfortable with a local CLI retaining anything you type into it under ~/.local/share/trigger and exporting that history into local files. Avoid entering passwords, API keys, private client data, or other secrets, and note that the documented TRIGGER_DIR setting does not appear to be honored by the script.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (7)

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The skill is presented as a generic everyday command-line tool, but the documentation also indicates persistent storage, logging, searching, export, and activity/history features. That mismatch can cause users or invoking agents to underestimate the data collection and retention behavior, increasing the chance of unintended handling of sensitive local data.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The manifest describes a simple CLI tool, while the body expands scope to webhook handlers, file watchers, event logging, and chain triggers. Those capabilities imply inbound event handling and automation side effects, so under-describing them can mislead users and agents into invoking a more powerful skill than expected.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The script persistently stores arbitrary user-entered content under ~/.local/share/trigger and provides bulk export, while the manifest gives only a vague generic purpose statement. In a skill ecosystem, this under-disclosure can cause users to provide sensitive notes without realizing they will be retained and aggregated on disk, increasing privacy and local data exposure risk.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The invocation guidance is overly broad ('use when you need trigger') and does not constrain when the skill should or should not be selected. In an agent setting, vague routing language can cause inappropriate invocation of a tool with automation and data persistence features, expanding exposure beyond user intent.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The 'When to Use' section is ambiguous and lacks concrete trigger phrases or guardrails, making accidental or overly broad selection more likely. In the context of a skill that may store data and automate event-driven actions, poor scoping increases the risk of unintended execution and data handling.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
These command handlers write raw user input directly to persistent log files without any explicit privacy notice, retention limit, or sensitivity warning. Users may enter secrets, personal notes, or other sensitive content expecting ephemeral CLI behavior, but the tool silently preserves that data in a predictable local location.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The export feature aggregates all stored activity into json/csv/txt files on disk without warning that this may concentrate sensitive user content into a single easily copied file. Even though the export stays local, it increases the blast radius of accidental sharing, backup exposure, or local compromise because previously dispersed entries become bundled together.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal