ClawHub

dr-context-pipeline

Security checks across malware telemetry and agentic risk

Overview

This skill openly installs a local memory/context pipeline and changes workspace behavior, but the artifacts do not show hidden network access, credential theft, destructive actions, or deception.

Install only if you want a persistent, evidence-heavy memory workflow. Review the AGENTS.md diff and git status after applying, keep secrets out of memory files, and use the memory commit workflow only for information you intentionally want retained for future sessions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill explicitly instructs the agent to read and modify workspace files such as `AGENTS.md`, install files into `context_pipeline`, and inspect memory files, yet it declares no permissions. That mismatch is a real security issue because users and policy systems cannot accurately understand or constrain the skill's file access behavior, increasing the risk of unexpected writes to agent configuration and memory content.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The description frames the skill as a memory/context pipeline, but the body also performs installation, validation, workspace patching, file integrity checks, and watchdog monitoring. That behavioral expansion is security-relevant because a user may invoke what sounds like a prompt-management helper while actually authorizing persistent filesystem changes and policy-file edits.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The skill advertises a broad invocation phrase, 'Apply dr-context-pipeline as default behavior,' for making it the default agent behavior. Broad or natural-language triggers are dangerous because they can be invoked unintentionally or via prompt injection-style text, causing workspace modifications and persistent behavior changes without a tightly scoped confirmation step.

Vague Triggers

Medium
Confidence
97% confidence
Finding
Using vague conversational triggers like 'memorize this' and 'let’s continue' overlaps with ordinary chat and can cause the skill to read or write memory files during normal conversation. In this context, the danger is elevated because those phrases can initiate persistent memory updates or context reloads without a clear security boundary or explicit consent for filesystem operations.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The router uses first-match-wins case-insensitive substring matching, so highly generic terms like "failed" and "error" can misclassify many ordinary requests into the ops path. In a context-retrieval pipeline, misrouting changes retrieval caps and source selection, which can surface irrelevant operational memory or omit the actually needed context, degrading correctness and potentially exposing unrelated internal snippets.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Triggers like "review this", "rewrite", "tone", and "wording" are underspecified and can capture a wide range of unrelated user requests. Because this skill deterministically drives memory retrieval and compression, ambiguous routing can inject the wrong topic files into the Context Pack and distort downstream agent behavior or leak unnecessary context from documentation-related memories.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The planning route includes very broad substrings like "design", "implement", "plan", and "recommend", which are common in general conversation and likely to overmatch. Given the skill's purpose as a default context pipeline, overbroad planning matches can systematically steer many requests into the wrong retrieval policy, reducing determinism and causing inappropriate memory inclusion across many sessions.

Vague Triggers

Low
Confidence
78% confidence
Finding
A standalone "why" substring is extremely broad and can match ordinary conversation fragments, causing qna routing when another task type would be more appropriate. In this skill, the direct effect is primarily incorrect retrieval and lower-quality context selection rather than code execution, so the severity is lower but still real.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The checklist is triggered by loosely defined phrases like 'Use this whenever someone says things like', which can cause the agent to execute a high-impact operational workflow on imprecise or incidental user wording. In this skill, the workflow performs file writes, validation, and repository changes, so ambiguous activation increases the risk of unintended modification of AGENTS.md and context_pipeline state.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger phrases are very broad and include common conversational language such as "store this" and "we’ll continue later," which can cause the agent to persist data when the user did not clearly intend a durable memory write. In a memory-management skill, this is especially risky because accidental commits can capture sensitive, incorrect, or transient information into long-lived files that later influence agent behavior.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The prompt includes a ready-to-run shell sequence that installs software, writes files under the workspace, and may alter tracked content such as AGENTS.md, but it does not warn the user that these commands can modify the repository or local files. In an agent skill, this is dangerous because users may paste or allow execution of the block assuming it is only validation, leading to unintended workspace changes and trust-boundary violations.

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
The activation text directs the agent to use the context pipeline as the default protocol for every user message and says each step must always be performed, which overrides normal per-task consent and can force unnecessary loading, retrieval, and disclosure behavior. In the skill context, this is more dangerous because it changes global agent behavior around memory and context handling, potentially causing unintended access to local memory files or excessive data exposure across unrelated prompts.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The ops route includes very generic substrings such as "job", "missed", "failed", and "error", and the router uses first-match-wins substring matching. This can misclassify ordinary user requests into the ops path, causing the pipeline to retrieve and prioritize the wrong memories or operational logs, which may degrade response quality and unnecessarily expose operational context within the generated Context Pack.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The doc_review route contains broad triggers like "rewrite", "tone", "wording", and "claim", which are common in normal conversation and can overlap heavily with planning, Q&A, or general assistance. In this skill, misrouting affects what memory is retrieved and compressed, so ambiguous triggers can steer the agent into an inappropriate review workflow and produce misleading or incomplete context.

Vague Triggers

Medium
Confidence
86% confidence
Finding
Planning and Q&A use highly generic phrases like "plan", "why", "explain", and "what is", which are likely to match a wide range of unrelated inputs under case-insensitive substring rules. Because this skill is a deterministic context-selection pipeline, such broad routing can systematically pull the wrong topic files or omit better sources, reducing correctness and potentially surfacing irrelevant internal memory to the user.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal