ClawHub

Rag based on Google drive

Security checks across malware telemetry and agentic risk

Overview

This skill is a plausible Google Drive document-search helper, but it needs review because it stores and renews bearer tokens and can sync or re-index personal Drive data.

Install only if you trust the Drive RAG API operator and understand that this skill handles private document data. Use a limited, short-lived token, protect or avoid the plaintext .env file, do not share terminal output from renew-token, and require explicit confirmation before renewing tokens, adding folders, syncing, or forcing re-indexing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill metadata does not disclose that the CLI can mint or renew JWTs, which is a sensitive capability that changes the security profile of the tool. Hidden token-issuance functionality can mislead users and reviewers, increasing the chance of misuse or over-privileged automation.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The invocation guidance is broad enough that ordinary requests about personal documents or drive activity could trigger the skill unnecessarily. In this context, over-broad triggering is risky because the skill can search personal documents, enumerate indexed files, and perform sync-related actions against a user's Drive-connected RAG system.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill directs the agent to collect an API URL and JWT token and persist them in a local `.env` file without warning about sensitivity, storage lifetime, filesystem exposure, or least-privilege handling. Because JWTs are authentication artifacts, local plaintext storage increases the risk of credential theft, reuse by other local processes, and unintended long-term retention.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The renew-token command prints a freshly issued JWT directly to stdout, where it may be captured by shell history workflows, terminal logging, CI logs, screen recordings, or other local monitoring. Because this token is a bearer credential, anyone who sees it can potentially authenticate as the user until it expires.

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests
python-dotenv
Confidence
97% confidence
Finding
requests

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests
python-dotenv
Confidence
96% confidence
Finding
python-dotenv

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
95% confidence
Finding
requests

Known Vulnerable Dependency: python-dotenv — 1 advisory(ies): CVE-2026-28684 (python-dotenv: Symlink following in set_key allows arbitrary file overwrite via )

Low
Category
Supply Chain
Confidence
74% confidence
Finding
python-dotenv

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal