ClawHub

OPC Journal

Security checks across malware telemetry and agentic risk

Overview

This is a local journaling skill, but its export feature can write private journal contents to arbitrary local paths despite documentation claiming local storage is constrained.

Install only if you are comfortable storing personal journal and task data locally and letting analysis commands return raw journal text to the calling agent. Review any export path carefully, avoid exporting to sensitive filenames, and treat delete/archive --force as intentional destructive operations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
This file implements batch async task creation and persistence, which is outside the stated journal-focused, local-only skill purpose. That capability expands the operational surface by introducing a generic task orchestration primitive with customer-scoped records, making it easier to hide unintended workflow management or repurpose the skill beyond journaling. In the context of a supposedly local journaling skill, this mismatch is suspicious and increases the risk of unauthorized data handling or covert feature expansion.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The run function accepts a customer_id and persists multiple async task records, creating a customer-scoped orchestration mechanism that does not fit a local-only journaling tool. Even without network access, this introduces multi-tenant style data handling and durable task state, which can enable cross-context data mixing, unauthorized record creation, or hidden workflow behavior inconsistent with user expectations. The mismatch with the skill context makes the feature more dangerous because it is harder to justify as necessary functionality.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The export command accepts a caller-controlled output_path, expands it, and writes journal data there without constraining the destination to the application's storage directory. In a CLI/local-only skill this is less severe than remote code execution, but it still enables unintended disclosure or overwriting of local files if another component, prompt flow, or user mistake supplies a sensitive path.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This code writes potentially sensitive journal contents to any local path provided, and there is no visible confirmation, warning, or overwrite safeguard in this file. Because the data appears highly personal (journal, dreams, memory), silent export to an arbitrary location increases the chance of privacy leakage through operator error or misuse by another local component.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The code silently defaults the journal preferences to the Asia/Shanghai timezone when the user provides no preferences. This can create incorrect timestamps, misleading chronology, and privacy or profiling concerns by imposing a locale-specific default without explicit user consent. In a journaling and milestone-tracking skill, timestamp accuracy is important, so silently choosing a specific region can skew analysis and records.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This command returns the full raw contents of dreams and memory files in `raw_text`, which may contain highly sensitive personal data, and there is no access-control, minimization, or user-consent check visible in this code path. In an LLM-integrated skill, exposing entire journal contents to downstream callers increases the chance of privacy leakage, over-collection, and unintended reuse of private data beyond what is necessary for generating insights.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
When context.input.text is present, the code converts it directly into argv using whitespace splitting and then dispatches the parsed command. This allows unstructured or model-generated text to trigger sensitive operations like delete or archive without an explicit user confirmation flow at the parsing boundary, which is especially risky in an agent setting where text may come from indirect or adversarial sources.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal