ClawHub

Session Branch

Security checks across malware telemetry and agentic risk

Overview

This skill is not malicious, but it asks an agent to read broad personal/profile and project context and persist a handoff file without strong consent or scoping controls.

Install only if you are comfortable with the agent reading broad project and IDE context. Before using it, ask the agent to limit scanning to project-local files unless you explicitly approve WorkBuddy identity, memory, scheduled-task, channel, connector, and environment-variable review. Review the generated handoff file before committing or sharing it, and prefer repo-relative paths and placeholders for personal or secret values.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill’s stated purpose is a session handoff, but it directs the agent to enumerate broad project, environment, platform, and tool-state details that exceed what is necessary for that function. This over-collection increases the chance of exposing sensitive operational metadata, user preferences, environment details, and unrelated system context into the handoff flow or model context.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The IDE-specific scan instructions explicitly target personal and global files such as identity, memory, installed skills, schedules, channel configuration, and connector status. These locations can contain private user profile data, behavioral history, internal integrations, and organization-specific metadata that are not required for a minimal branch handoff, creating a clear privacy and data-exposure risk.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The skill prohibits including personal information and specific paths in the reusable handoff, but then requires the startup prompt to contain exact file paths, including absolute paths. Absolute paths often embed usernames, home directories, project locations, and workspace structure, undermining the sanitization goal and potentially leaking identifying system details to a new conversation or external system.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The listed trigger phrases include very generic language such as "branch" and "new task but keep context," which could plausibly appear in normal conversation and unintentionally activate the skill. Because this skill can generate artifacts and influence subsequent session behavior, accidental invocation can lead to unintended context capture and file creation.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The README describes invocation in broad, conversational terms without clearly stating what exact phrase, mode, or confirmation is required to activate the skill. Ambiguous activation criteria increase the risk of the agent interpreting ordinary user intent as permission to perform project analysis and write a handoff document.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README says the skill will generate `docs/session-handoff.md` in the project, but it does not prominently warn that the skill modifies the filesystem or explain overwrite/creation behavior. Users may invoke it expecting analysis-only behavior and unintentionally persist sensitive contextual summaries into the repository.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs the agent to inspect sensitive identity, memory, installed-skill, scheduled-task, and channel-configuration sources without any explicit user-facing warning, consent step, or privacy boundary. In a session-handoff context, this silent expansion of scope makes accidental collection and propagation of private or organizationally sensitive data more likely.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal