ClawHub

蜂兵虾将

Security checks across malware telemetry and agentic risk

Overview

The skill is not malware, but it persists and shares long-lived user profile, goal, value, and behavior data beyond the headline hotspot/content workflow.

Install only if you want a local long-term memory and self-analysis system, not just a hotspot/content assistant. Review what it stores under the memory directory, avoid entering sensitive personal or business data unless you accept persistent profiling, and do not rely on adaptive confirmation reduction for high-impact tasks.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (38)

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The module can export and import arbitrary memory entries across systems via shared JSON files, which expands data flow beyond the advertised hotspot monitoring and reporting use case. In a skill that accumulates user/context memory, this creates an unnecessary lateral data-sharing path that can leak retained content to other components without consent, purpose limitation, or access controls.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The code performs motivation analysis over personal psychological dimensions and stores the result in memory, despite the skill being presented as an industry monitoring and content automation tool. Collecting and persisting psychological-profile-like data outside the user's expected context increases privacy risk and can enable manipulation, over-collection, or secondary use of sensitive personal data without meaningful consent.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The module generates blind-spot assessments, self-awareness reports, and future-self predictions from user goals and behavior, then stores them as insights. In the context of a business-monitoring skill, this is unexpected sensitive inference about a user's psychology and behavior, which raises privacy and trust concerns and could be misused to steer decisions or profile users beyond the stated purpose.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The code synchronizes goal-profile and value-related memory into other systems ('signal' and 'workflow') without any visible access control, purpose limitation, or consent gate. Cross-system propagation of sensitive personal data increases the blast radius of any misuse, exposes data to components that may not need it, and makes downstream handling harder to audit.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The documented functionality materially exceeds the skill's stated purpose: instead of only industry monitoring/content workflows, it presents a broad personal knowledge and growth operating system. Scope mismatch is a real security issue because users and platforms may grant trust or permissions based on the manifest, while the skill actually encourages wider data handling and behavior.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The inclusion of personal goal tracking, AI mirroring, and wisdom/value storage goes beyond the advertised business use case of hotspot monitoring and content production. This creates a deceptive expansion of sensitivity and processing scope, increasing privacy and trust risk even if no exploit code is present.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This section describes deep profiling of user goals, time allocation, motivations, blind spots, and future predictions, which is disproportionate to the stated hotspot-monitoring/content-creation function. Such capability can infer sensitive behavioral and psychological attributes, making the skill significantly more dangerous in context because users would not reasonably expect this level of profiling.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The L4 'wisdom memory' stores enduring records such as life insights and core values with permanent retention, which are highly sensitive personality data unrelated to the skill's declared operational purpose. Long-term storage of this data increases harm from unauthorized access, misuse, or secondary processing, especially when paired with cross-system sync and query features.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The demo states that retrieval is constrained by the current scenario/domain, but the implemented query only filters by credibility and success rate before globally sorting all entries. In a skill marketed for autonomous, cross-industry monitoring and execution, this mismatch can cause cross-context memory leakage, incorrect recommendations, and unsafe automated actions based on unrelated domain knowledge.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The document expands the skill from business automation into long-term user-state profiling, including growth trajectory and emotional analysis, which is materially broader than the stated scope of hot-topic monitoring, content creation, trend insight, and auto-recording. This creates an unjustified collection-and-processing path for sensitive behavioral data and increases privacy, consent, and misuse risk.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
Emotion analysis and long-term personal state tracking are sensitive profiling capabilities that are not justified by the advertised business workflow purpose. In a broadly marketed cross-industry automation skill, this is especially risky because users may not expect psychological or behavioral inference, and such inferences can be inaccurate, intrusive, or repurposed for manipulation.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The retention rules specify year-long storage for user state and permanent storage for workflow knowledge/templates without showing necessity, minimization, or separation between user-derived data and reusable artifacts. Excessive retention increases the blast radius of any compromise, misuse, or future secondary use beyond the original session purpose.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
This demo script does more than print or simulate logic: it instantiates the collaboration system and writes a new configuration object into persistent L3 memory. That creates an unexpected state-changing side effect, which can silently alter later system behavior and mislead operators who believe they are running a harmless demonstration.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The summary claims existing settings are unchanged, but the code previously writes configuration into system memory. This mismatch is security-relevant because it can cause users or auditors to trust the script and run it in production, leading to unauthorized or unintended configuration changes.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs broad cross-platform collection from multiple public sources plus detailed workflow logging and user-adaptive analysis, but it contains no privacy boundaries, data minimization rules, retention limits, or restrictions on collecting personal/sensitive data. In the context of an agent meant for automatic monitoring across industries including finance and healthcare, this increases the risk of over-collection, profiling, and storing user or third-party data without appropriate consent or safeguards.

Missing User Warnings

Low
Confidence
86% confidence
Finding
The README explicitly instructs users to unzip, install dependencies, and run bundled JavaScript without any warning, review guidance, or sandboxing advice. In a package that advertises broad automation and auto-execution capabilities, encouraging direct execution increases the chance that a user runs unreviewed code that could modify the system, access data, or perform network actions.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly describes building user profiles and recording interaction preferences, but it does not present a clear user warning or consent flow about privacy impact. In a cross-session assistant context, profiling can expose behavioral patterns and sensitive inferred preferences without the user's informed agreement.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The predictive-service section normalizes inferred-intent handling and background preparation based on user history, but does not clearly warn users that the system may proactively act on predictions. That can lead to unexpected processing of prior context or sensitive tasks the user did not explicitly request in the current session.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document explicitly describes adaptive behavior such as 'skip_confirmations' without any warning, guardrails, or limitation on when confirmations may be reduced. In a skill marketed as broadly applicable across industries and capable of automatic execution, suppressing confirmations can cause unsafe or unintended actions to proceed without adequate user consent, especially for high-impact workflows.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The system persistently writes working and experience memory to disk and auto-archives content without any visible consent, disclosure, retention controls, or data minimization. Because this skill is marketed for broad cross-industry use, including potentially sensitive domains like finance and healthcare, silent persistence materially increases the risk of storing confidential user or business data longer than expected.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Cross-system sync writes accumulated entries into shared files on disk with no user-facing disclosure, purpose restriction, or sensitivity review. This is particularly risky because the module is a general memory store, so shared exports may include previously retained user prompts, context, or operational data that other components can read.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The module stores sensitive goal, motivation, behavior, blind-spot, prediction, and value-related data across multiple memory levels and also synchronizes some of it, yet there is no visible disclosure, consent flow, retention policy, or deletion path. This creates material privacy risk because intimate user inferences may persist and spread without user awareness, especially given the skill's advertised purpose does not prepare users for this type of collection.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code synchronizes collected workflow methodologies to the 'signal' and 'goal' systems without any visible consent check, scoping control, or disclosure mechanism. Because this system aggregates tacit knowledge, decision patterns, and methodology data derived from user activity, silent cross-system propagation can expand access to potentially sensitive behavioral or proprietary information beyond the original context.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The reset instructions tell users to delete the memory directory but do not prominently warn about irreversible data loss or require confirmation. In a system centered on long-term memory storage, destructive guidance is more dangerous because users may erase valuable or sensitive data unintentionally.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The file documents long-term and permanent storage behaviors but does not mention any user warning, notice, or consent flow for the privacy impact. Silent retention of state/history data prevents informed user choice and increases legal and trust risk, especially where sensitive behavioral information may be involved.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal