ClawHub

Open Notebook

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed local bridge client for managing a user's self-hosted research notebooks, with some real operational risks around deletion and credential handling.

Install only if you trust the local bridge setup and understand that the agent can create, search, retrieve, and delete notebook data available to its API key. Keep OPEN_NOTEBOOK_API_KEY and OPEN_NOTEBOOK_PASSWORD private, restrict allowed_notebooks where possible, avoid storing secrets or sensitive PII because notebooks are unencrypted at rest, and keep backups if you allow delete commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The skill framing emphasizes research assistance but also supports irreversible deletion of notebooks and sources. That creates a security-relevant semantic gap: an agent or user may treat the skill as read/write note-taking while overlooking destructive capabilities that can destroy stored data.

Description-Behavior Mismatch

Low
Confidence
87% confidence
Finding
The skill framing emphasizes research assistance but also supports irreversible deletion of notebooks and sources. That creates a security-relevant semantic gap: an agent or user may treat the skill as read/write note-taking while overlooking destructive capabilities that can destroy stored data.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The security note claims the bridge's `X-API-Key` is the only authentication, but the documented implementation also relies on an upstream bearer credential (`OPEN_NOTEBOOK_PASSWORD`). Misstating the trust and credential model can lead operators to under-protect the upstream secret or misunderstand the consequences of bridge compromise.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal