ClawHub

Drift

Security checks across malware telemetry and agentic risk

Overview

Drift is a local journaling CLI that intentionally saves agent-written conversation threads for later sessions, with no evidence of network exfiltration or hidden execution.

Install only if you want persistent local agent notes. Do not store secrets, credentials, private customer data, regulated information, or instructions that future agents should follow blindly; review entries before acting on them and delete the storage directory when you no longer want the notes retained.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The usage guidance is broadly scoped ('During Heartbeats', 'After Significant Events', 'For Ongoing Debates') and encourages routine invocation without clear boundaries, approval checks, or task constraints. In agent environments, vague activation criteria can cause overuse, context bleed, or unintended persistence of sensitive reflections and decision rationale across sessions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill persistently stores thread contents and session identifiers to local disk, but provides no explicit warning, consent prompt, or visibility to the user that sensitive conversational data will remain on the filesystem. In an agent setting, users may reasonably assume ephemeral memory, so this can lead to unintended retention and later disclosure through local compromise, backups, shared accounts, or other tools reading the same workspace.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal