ClawHub

Conversation Flow Monitor

Security checks across malware telemetry and agentic risk

Overview

This local reliability skill is mostly purpose-aligned, but it can delete shared log files and encourages persistent workspace changes without clear user approval or tight scope.

Review before installing. Use it only if you are comfortable with local monitoring logs and heartbeat maintenance. Restrict cleanup to this skill's own log files, disable automatic heartbeat cleanup unless needed, avoid wrapping calls that carry secrets, and require explicit approval before it changes .learnings, SOUL.md, TOOLS.md, or other workspace files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
81% confidence
Finding
The skill describes file validation, dependency checks, and diagnostic logging, which implies local file reads, but it declares no corresponding permissions. Undeclared file access is dangerous because it hides the skill's actual capabilities from users and reviewers, reducing informed consent and making abuse or overreach harder to detect.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The documented purpose is conversation-flow reliability, but the behavior reportedly includes deleting old log files, validating specific on-disk skill files, and inspecting local log/config files outside that narrow scope. This mismatch is dangerous because it creates hidden side effects and broader filesystem access than users would reasonably expect, increasing the risk of privacy exposure or destructive actions under a benign-sounding description.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The document makes broad safety assurances such as 'No dangerous operations' and 'no system modifications' while the same repository summary lists examples involving shell commands and self-improving integration. Even if those examples are only illustrative, the mismatch can mislead reviewers or users into trusting the skill without scrutinizing components that may execute commands or alter behavior, increasing the chance of unsafe deployment.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill states it may log issues to .learnings/ERRORS.md, update SOUL.md, and enhance TOOLS.md, but it does not warn users that workspace files may be modified. Silent modification of memory or project-governance files is risky because it can alter agent behavior, persist unintended state, or overwrite user-managed project artifacts without clear approval.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The review summary promotes logging, analysis, and community sharing of error patterns without any warning about sensitive data exposure. In a conversation-monitoring skill, logs may contain prompts, file paths, command strings, tokens, or user content; encouraging broad retention or sharing increases the risk of privacy leaks and credential disclosure.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The exception and timeout handlers serialize and store portions of args and kwargs in self.error_log. In an agent/tooling context, those arguments may contain prompts, credentials, file paths, tokens, API responses, or other sensitive conversation data, so logging them can create an unintended disclosure channel to logs, memory dumps, telemetry, or downstream diagnostics.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal