ClawHub

hot-swap-context-as-MCP

Security checks across malware telemetry and agentic risk

Overview

This is a coherent text-only scaffold for a user-owned context vault and MCP memory server, with disclosed local file creation and memory mutation risks.

Install only if you want an agent-accessible local context workspace. Generate into a fresh directory, review files before connecting the MCP server, install dependencies in an isolated environment, keep HTTP transport local/trusted, and treat permanent deletion as irreversible unless you have backups.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly instructs the agent to build workspaces and leave behind runnable artifacts, which implies filesystem modification without requiring prior user confirmation or a clear warning about side effects. In an agent setting, this can lead to unexpected file creation, overwrites, or broader environment changes that the user did not knowingly authorize.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The builder command generates a large set of artifacts in a user-specified output directory, but the skill does not instruct the agent to verify whether that directory exists, is empty, or contains important files. This creates a realistic risk of accidental overwrite, clobbering existing project files, or polluting sensitive workspaces with generated code and data.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill tells the agent to install runtime dependencies to make the MCP server runnable, but it does not require warning the user that this will modify the current environment. Dependency installation can alter system state, introduce unreviewed packages, or break reproducibility, especially if performed in a shared or production environment.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The generated MCP server exposes state-changing tools such as upsert_memory_object and delete_memory_object with no authentication, authorization, or policy enforcement in the server code itself. In a context-management skill, this is more dangerous because the server is specifically designed to store durable agent memory and artifacts, so unauthorized or unintended writes/deletions could corrupt long-lived context, poison future agent behavior, or permanently remove records.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The template leaves the retrieval trigger as an unconstrained free-form placeholder, which can cause downstream agents or developers to define overly broad load conditions such as loading sensitive memory on weak or ambiguous prompts. In a portable context and long-running memory system, vague retrieval rules increase the chance of privacy leaks, context poisoning, and unnecessary exposure of durable memory across tasks or users.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The writeback trigger field is similarly unconstrained, allowing implementers to specify broad or implicit update conditions that may cause agents to persist transient, unverified, or adversarial inputs into long-term memory. In this skill's context of portable memory vaults and typed agent memory, weak writeback boundaries can enable durable contamination, accidental retention of sensitive data, and corruption of shared organizational context.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal