ClawHub

Duru Obsidian KB

Security checks across malware telemetry and agentic risk

Overview

This is a local Obsidian knowledge-base helper with visible file, network, and repo-ingestion behavior that fits its stated purpose, though users should treat cloned content and .env configuration carefully.

Install only if you want a local KB tool that can fetch web content, copy local files, clone repositories, and write persistent notes under configured KB folders. Keep KB roots scoped, avoid ingesting untrusted private material, review cloned repos as untrusted data, and only use a trusted .env because the daily shell wrapper sources it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if repo_dir.exists() and any(repo_dir.iterdir()):
        return "existing"
    repo_dir.parent.mkdir(parents=True, exist_ok=True)
    subprocess.run(["git", "clone", "--depth", "1", repo_url, str(repo_dir)], check=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True)
    return "cloned"
Confidence
88% confidence
Finding
subprocess.run(["git", "clone", "--depth", "1", repo_url, str(repo_dir)], check=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill clearly instructs the agent to perform filesystem writes, read local files, access the network, and invoke shell commands, yet it declares no explicit permissions or user-facing capability boundaries. This creates a misleading trust surface: users or orchestrators may invoke it without realizing it can clone repositories, download remote content, and modify local workspace state.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Cloning and storing full remote repositories is a materially stronger capability than lightweight knowledge-base ingestion and is not adequately constrained here. Because the source URL is user-controlled, the skill can be used to fetch and persist large or hostile codebases locally, increasing exposure and enabling downstream abuse if other components later trust or execute repository contents.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
Falling back to the external `strings` utility adds shell-level/system-binary dependency for routine document ingestion without strong justification. This broadens the runtime attack surface and makes behavior depend on host tooling, which is an unnecessary privilege expansion for a KB skill handling untrusted PDFs.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill directs the agent to download articles and papers, normalize URLs, ingest local files, and clone GitHub repositories, but it does not require an explicit warning or confirmation about network access and local filesystem changes. In this context, the broad ingest workflow makes the omission more dangerous because normal use naturally leads to external fetches and persistent writes.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script automatically sources a local .env file as shell code before processing user commands. Because `source` executes arbitrary Bash contained in that file, anyone who can modify the skill directory or its .env can run code in the context of the invoking user, and there is no warning, validation, or restricted parser. In a local knowledge-base skill that may process untrusted repos/files, implicit execution of adjacent config is more dangerous than normal configuration loading.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The code clones remote repositories and writes multiple files locally without any visible user-facing notice, approval checkpoint, or warning about the scope of the action. In this skill context, that makes the behavior riskier because users may expect note ingestion, not full local replication of external repositories.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script forwards source metadata and up to 1200 characters of preview text to an external CLI-managed model process without any user-facing disclosure or consent gate. In a KB-ingestion workflow, that preview may contain sensitive notes, proprietary documents, credentials accidentally pasted into content, or other confidential material, so silently sending it to another component increases privacy and data-handling risk.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal