ClawHub

MNN Local Knowledge Base

Security checks across malware telemetry and agentic risk

Overview

This private knowledge-base skill appears useful, but it can persist sensitive user content and may send retrieved KB context to external LLM APIs without sufficiently clear user control.

Review before installing. Use it only if you are comfortable with persistent local storage and possible external LLM/API transmission of your KB content. Avoid storing secrets, credentials, regulated data, or confidential documents unless the configuration is confirmed local-only and you know how to inspect and delete saved entries.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill declares only allowed tools, but its documented behavior includes capabilities with security relevance: reading and writing local files, invoking shell commands, and making network requests for model/API access. When those capabilities are not clearly declared as permissions or prominently disclosed, users and orchestrators cannot accurately assess trust boundaries, which increases the risk of unintended data access or exfiltration.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The skill is presented as a local private knowledge-base tool, but the documentation reveals extra behaviors that materially change the risk profile: automatic remote model download, use of an external OpenAI-compatible API, and background subprocess management. This mismatch can mislead users into providing sensitive data under the assumption it remains fully local, creating privacy, supply-chain, and execution-safety risks.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill is presented as a local/private knowledge base, but the example configuration enables query-time use of an external LLM API. In this context, retrieved knowledge-base content and user queries may be sent off-device to a third party, which directly conflicts with expectations of local/private storage and creates a real confidentiality risk.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill is presented as a local/private knowledge-base tool, but it silently downloads model artifacts from external URLs when files are missing. In a privacy-sensitive KB workflow, unexpected outbound network access can leak usage patterns, violate offline assumptions, and introduce supply-chain risk from remote model content.

Description-Behavior Mismatch

Critical
Confidence
100% confidence
Finding
The query flow can send the full retrieved KB context and user prompt to an OpenAI-compatible remote API, directly contradicting the skill's description as local/private knowledge storage and retrieval. Because the context may contain sensitive notes or documents, this creates a direct confidentiality breach with potentially large-scale exfiltration of private data.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README explicitly states that the skill will auto-download a model on first run and may use an LLM API for query generation, but it does not clearly warn users that local content or prompts may leave the device or that remote code/artifacts are fetched at runtime. In a privacy-oriented knowledge-base skill, this omission is security-relevant because users may reasonably assume all processing is fully local and may store sensitive documents under that assumption.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The workflow guidance tells agents to crawl webpages, summarize them, and store the results, but it does not require user confirmation for network fetching or warn that fetched and summarized content will be persisted. This increases the chance of silent external access and retention of potentially sensitive or copyrighted data in an agent context where tool actions may be automated.

Vague Triggers

Medium
Confidence
88% confidence
Finding
Broad trigger phrases like '记住这个', 'save this', and 'remember this' can cause the skill to persist arbitrary user content when the user may only be speaking conversationally. Because the target is a persistent knowledge base for private information, accidental activation can lead to silent retention of sensitive data beyond the user's intent.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrase '查一下' is extremely vague and overlaps with ordinary requests to look something up. In this skill's context, that ambiguity can route general queries into a private knowledge-base retrieval flow unexpectedly, potentially surfacing stored sensitive content or causing the agent to use private context when the user did not intend it.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly invites users to store private knowledge but does not warn about persistence, retention, access scope, possible external API usage, or deletion mechanics. In a system handling potentially sensitive notes and documents, missing privacy disclosures increase the chance that users will unknowingly place secrets or personal data into durable storage or into flows that may later leave the device.

Ssd 3

Medium
Confidence
82% confidence
Finding
The skill is designed to persist arbitrary notes, summaries, and chat fragments for later retrieval, which is the intended functionality, but this still creates a real privacy and data-retention risk if sensitive user content is stored without clear consent boundaries. In an agent setting, users may not realize ephemeral conversation content is being transformed into long-lived storage.

Ssd 3

Medium
Confidence
80% confidence
Finding
The example workflow instructs the agent to remember user-provided information and save it for future retrieval, normalizing persistent memory behavior without emphasizing consent, scope, or retention limits. Because the skill targets private knowledge management, this context makes accidental over-collection more plausible and potentially harmful if users store confidential or personal information.

Ssd 3

Medium
Confidence
90% confidence
Finding
The trigger phrases encourage the agent to remember arbitrary user input and save it into persistent storage, which can capture sensitive data without deliberate user intent. In a private-knowledge skill, this increases the likelihood of storing credentials, personal data, or confidential business information that later becomes queryable and reusable.

VirusTotal

52/52 vendors flagged this skill as clean.

View on VirusTotal