ClawHub

Knowledge Management

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does local knowledge organization as described, but it contains a real code-execution bug in index generation and cleanup can permanently delete local files.

Install only if you are comfortable reviewing local-file behavior first. Use explicit `--workspace` and `--output-dir` arguments, run `km sync --dry_run` and `km cleanup --dry_run` before any write or cleanup, avoid scheduled cleanup until paths and state are verified, and prefer a patched version that replaces the `eval` tag parser with safe parsing and changes cleanup to archive or require explicit confirmation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Tp4

High
Category
MCP Tool Poisoning
Confidence
80% confidence
Finding
The declared purpose understates the actual behavior: the skill also deletes files, maintains persistent state, writes logs, and generates summaries. This mismatch can mislead users into granting trust to a skill that performs broader filesystem operations than expected, increasing the chance of unintended data loss or misuse.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The storage path logic is inconsistent: the orchestrator initializes LocalStorageManager with OUTPUT_DIR, but storeEntry writes files to this.workspace/content_type, so entries are written under the output directory root instead of the documented workspace/memory/KM layout. This can place files in unexpected locations, break operator assumptions, and widen the blast radius of later cleanup or indexing operations.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The code and user-facing text say orphan files will be archived, but cleanupOrphans actually calls fs.unlinkSync and permanently deletes files. In a knowledge-management skill handling user notes, this is dangerous because state corruption, output-path confusion, or manual files not tracked in state can lead to silent irreversible data loss.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README documents `km cleanup` as deleting orphaned files and even shows routine use with `--cleanup`, but it does not prominently warn that this is a destructive operation that can permanently remove user data if the sync state is stale, corrupted, or incomplete. In a skill that manages local files under a persistent workspace, users may run cleanup during automation or cron jobs and unintentionally delete legitimate knowledge files.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The troubleshooting advice to clear `memory/local-sync-state.json` omits a strong warning that doing so can cause a full re-sync, recreate files with new timestamps, and interact with cleanup logic in ways that duplicate, overwrite expectations, or later delete files considered orphaned. Because the tool maintains persistent state for file tracking, encouraging manual state deletion without safeguards increases the chance of user-driven data loss or repository churn.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill advertises a cleanup command that removes orphaned files but does not provide a prominent warning about deletion risk, scope, or recovery limitations. In a local-storage skill, ambiguous cleanup semantics can lead to accidental deletion of user data, especially when run via automation or with custom output paths.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The orphan cleanup path permanently deletes markdown files without an explicit warning at the point of deletion or a confirmation step. Because this skill manages local knowledge files and also has path inconsistencies, users may invoke cleanup expecting safe maintenance and instead lose legitimate documents.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal