ClawHub
Back to skill

Security audit

ctx-shrink

Security checks across malware telemetry and agentic risk

Overview

The flagged content appears to be disclosed documentation for a command-line helper, not evidence of hidden credential access or unauthorized persistence.

Before installing, read the README and only run the optional PATH/symlink command if you want the helper available globally. Treat any tool that scans project files carefully: keep real secrets out of test repositories and confirm it does not upload file contents unless you explicitly intend that.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Rogue AgentSelf-Modification, Session Persistence
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Credential Access

High
Category
Privilege Escalation
Content
| File              | Size | Risk        |
|-------------------|------|-------------|
| .env.production   | 2.1 KB| 🔴 CRITICAL |
| config/secrets.yml| 145 B | 🔴 CRITICAL |

### 🔧 Quick Fix
Add these to your `.gitignore`:
Confidence
70% confidence
Finding
secrets.yml

Credential Access

High
Category
Privilege Escalation
Content
| File              | Size | Risk        |
|-------------------|------|-------------|
| .env.production   | 2.1 KB| 🔴 CRITICAL |
| config/secrets.yml| 145 B | 🔴 CRITICAL |

### 🔧 Quick Fix
Confidence
60% confidence
Finding
.env.production

Session Persistence

Medium
Category
Rogue Agent
Content
### Option 2: Add to your PATH (user directory)

```bash
mkdir -p ~/.local/bin
ln -sf "$(pwd)/ctx-shrink" ~/.local/bin/ctx-shrink
# Ensure ~/.local/bin is on PATH (e.g. in ~/.profile)
```
Confidence
60% confidence
Finding
mkdir -p ~/.local/bin ln -sf "$(pwd)/ctx-shrink" ~/.local/bin/ctx-shrink # Ensure ~/.local/bin is on PATH (e.g. in ~/.profile

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal