ClawHub

Sage Voice

Security checks across malware telemetry and agentic risk

Overview

This writing skill is not malicious, but it needs review because it can learn from private messages, emails, documents, and long-term memory without clear limits.

Install only if you want a persistent voice profile. Use intentionally provided writing samples rather than broad mailbox or document access, avoid sensitive or third-party content where possible, and confirm that sage-cognitive provides memory review, opt-out, and deletion controls before relying on it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly directs the system to load a user's messages, emails, documents, and profile data to build a style fingerprint, but it does not require informed consent, scoped access, or a retention notice before doing so. Because this data can contain sensitive personal, professional, and third-party information, silent collection and persistence create a real privacy and data-governance risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs saving style fingerprints, audience profiles, and correction history into persistent `core` memory, which amounts to long-term storage of behavioral and communication traits without an explicit retention warning or user control. Persistent profiling of writing style can expose sensitive identity, relationship, and workplace patterns, and increases harm if the memory store is later misused or breached.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal