ClawHub

pref0

Security checks across malware telemetry and agentic risk

Overview

This skill has a legitimate personalization purpose, but it exports full conversations and persistent user identifiers to a third-party service and can feed that service’s prompt back into future agent instructions.

Install only if you are comfortable with pref0 receiving and storing conversation-derived data. Use opaque internal user IDs instead of emails or phone numbers, avoid tracking sensitive conversations, prefer structured preferences over direct prompt injection, and use the delete endpoint when a user asks to reset or remove stored preferences.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (5)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The workflow explicitly tells the agent to send the full message history to an external API at session end without any user-facing consent, minimization, or warning. This can leak sensitive personal, financial, medical, or confidential business information well beyond mere 'preferences' and creates a durable third-party data copy.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill recommends stable identifiers such as email, account ID, or phone number without discussing pseudonymization or privacy consequences. Using persistent real-world identifiers increases linkability across sessions and systems, making profiling and reidentification easier if the service or logs are exposed.

Ssd 3

Medium
Confidence
97% confidence
Finding
The skill instructs sending conversation messages to an external service so it can extract and store preferences over time, including corrections and explicit quotes. This creates long-term retention and secondary use of user content, potentially including sensitive information the user did not intend to be persisted or reused.

Ssd 3

High
Confidence
98% confidence
Finding
The prescribed workflow tells the agent to transmit the full message history at the end of each session, which materially increases exposure compared with sending only extracted preferences. Full histories often contain unrelated secrets, personal data, or confidential context that should not be exported to a third party for long-term reuse.

Ssd 3

Medium
Confidence
90% confidence
Finding
Returning verbatim evidence plus a reusable prompt built from prior conversations increases the chance that sensitive or contextually private user statements are propagated into future sessions. This broadens the blast radius of a single disclosure and may surface prior private content in unrelated contexts.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal