ClawHub

Shodh Local

Security checks across malware telemetry and agentic risk

Overview

This appears to be a local memory tool rather than malware, but it asks the agent to run a local server that can retain and proactively reuse user information without enough privacy and retention boundaries.

Review this before installing. It appears local-only and not malicious, but use it only if you are comfortable with an agent-managed local memory server retaining information across sessions. Avoid storing secrets, credentials, health, financial, or other sensitive details unless the tool provides clear ways to inspect, disable, and delete stored memory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill describes broad capabilities such as persistent remembering, semantic recall, GTD todos, knowledge graph use, and proactive context without defining when it should or should not run. This ambiguous scope increases the chance of over-collection, context leakage between tasks, or unauthorized memory actions triggered by routine dialogue.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill describes broad capabilities such as persistent remembering, semantic recall, GTD todos, knowledge graph use, and proactive context without defining when it should or should not run. This ambiguous scope increases the chance of over-collection, context leakage between tasks, or unauthorized memory actions triggered by routine dialogue.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation explicitly promotes persistent memory, semantic recall, proactive context, and multi-tier long-term storage, but provides no user-facing warning about retention, privacy, or what data will be stored and resurfaced later. In a memory skill, this omission is materially risky because users may disclose sensitive information without understanding that it will persist and be proactively recalled.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal