ClawHub

diff4

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly coherent as an encrypted diff/file sharing helper, but it exposes an encryption passphrase during normal setup and can upload selected local files without a clear confirmation step.

Install only if you understand that selected diffs or files will leave your machine as encrypted uploads. Confirm the exact files, diff scope, and server before each share, avoid running `diff4 key-get` unless you explicitly want the passphrase displayed, and approve any passphrase or shell configuration changes before `key-gen` runs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to upload diffs or file contents to a remote server but does not require an explicit user-facing warning or confirmation at the point of transmission. Even with client-side encryption, this still causes external data transfer and may expose sensitive source code, filenames, metadata, or secrets if the user does not understand that content is leaving the local environment.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The documented `diff4 key-get` command prints the current passphrase, and the workflow explicitly tells the agent to run it during setup. This creates a direct secret-exposure path into agent logs, terminal history, screenshots, or chat output, allowing anyone with access to those surfaces to decrypt shared diffs and files.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal