ClawHub

Wine

Security checks across malware telemetry and agentic risk

Overview

This skill is presented as a wine collection tool, but its implementation is a broad local text logger that stores arbitrary command input in plaintext.

Install only if you are comfortable with arbitrary text entered into this tool being saved locally in ~/.local/share/wine. Do not enter secrets or unrelated sensitive information, verify which wine command will run on your system, and treat the advertised wine-specific functionality as underdeveloped because the implementation is mainly a generic logger.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill is documented as handling wine collection and tasting notes, but the command inventory instead describes a generic action and logging framework. In an agent setting, this semantic deception can cause unsafe tool selection, overbroad invocation, and unintended persistence of non-wine user data under a misleadingly harmless label.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The prose claims a wine/food tool, but the nearby commands indicate unrelated generic operations. This inconsistency increases the chance that users trust the skill with inputs they would not provide to a generic logger, making the misleading presentation a security-relevant documentation flaw rather than mere poor wording.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script presents itself as a wine collection tool but actually exposes a broad generic command-logging toolkit with unrelated actions like run, check, convert, analyze, generate, preview, batch, and config. This mismatch increases security risk because users may provide sensitive data under the assumption of a domain-specific wine skill, while the tool is architected for broad input capture and retention instead of narrowly scoped wine functionality.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The command surface includes generic utility capabilities that are not justified by the wine-management use case. Unnecessary capabilities expand the attack surface and encourage collection of arbitrary user input, making it easier for sensitive or irrelevant data to be stored and later exposed.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The inline comments explicitly describe the code as a generic utility tool, contradicting the declared wine-collection purpose. This inconsistency is a trust and transparency problem that can mislead users and reviewers about what the skill really does, especially when combined with broad logging behavior.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation advertises automatic history and activity logging without any privacy warning, retention guidance, or caution about entering sensitive information. Because the skill appears to accept arbitrary free-form input under many commands and stores data locally for later export, users may unknowingly persist confidential content that can be exposed through local access, backups, or exports.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The command handlers append full user input directly to persistent plaintext logs without upfront disclosure, consent, retention controls, or redaction. Users may enter tasting notes, inventory details, personal annotations, or other sensitive content believing they are issuing transient commands, but the script silently stores everything.

Ssd 3

High
Confidence
99% confidence
Finding
The script builds a local plaintext datastore of all user-supplied inputs and provides built-in bulk retrieval through search, recent, status, and export functions. Even without remote exfiltration, this creates a concentrated repository of potentially sensitive user data that can be easily browsed or exported by anyone with access to the account or files.

Ssd 3

High
Confidence
99% confidence
Finding
Each command handler records the complete input string into command-specific logs and a shared history log, creating comprehensive plaintext retention across many categories. In the context of a purported wine tool, this is especially risky because the wide set of generic commands invites users to submit arbitrary content, magnifying privacy exposure and making later disclosure through local access or export more damaging.

VirusTotal

54/54 vendors flagged this skill as clean.

View on VirusTotal