ClawHub

InkPot

Security checks across malware telemetry and agentic risk

Overview

InkPot is a local knowledge-management skill, but it asks to monitor ordinary conversations, store learning/profile data, and persist auto-loading across future sessions without adequate user controls.

Install only if you intentionally want a local skill that records study activity and profile-like behavior from conversations. Prefer limiting it to explicit /墨池 commands or an enabled study session, and add clear controls to pause, review, delete, export, and disable stored knowledge/profile data before using it with sensitive conversations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (13)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill instructs the assistant to write a persistent auto-load preference into `MEMORY.md`, extending its behavior beyond the skill's own storage and into global future sessions. This creates unauthorized persistence and can cause cross-session surveillance-like behavior without clear, granular user consent each time.

Vague Triggers

High
Confidence
97% confidence
Finding
The trigger rules are so broad that ordinary questions, punctuation, and common conversational patterns would activate the skill. This makes activation boundaries effectively meaningless and risks unintended data capture, logging, and file writes during normal conversation.

Vague Triggers

High
Confidence
96% confidence
Finding
The description explicitly claims the skill auto-loads and listens to all user input, which creates ambiguous and overbroad activation semantics. In practice this encourages continuous background processing of conversations, increasing the chance of collecting unrelated or sensitive content without clear user intent.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill describes persistent recording of learning behavior and user profile updates, but does not provide a clear upfront privacy notice, consent flow, or explanation of retention effects. This is dangerous because users may reveal sensitive personal, educational, or behavioral information during ordinary chat without realizing it will be stored and profiled.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The workflow documents automatic writes to multiple knowledge and profile databases but does not clearly warn that persistent file modification will occur. Silent persistence increases the risk of unexpected retention of conversation-derived data and makes accidental storage of sensitive content more likely.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The report states the skill will automatically execute a recording command after learning-related answers and remain 'always online,' but it does not disclose consent, scope limits, retention, or write-side effects to the user. In an agent environment, silent continuous profiling and file writes can expose sensitive topics, create persistent surveillance, and store personal data without meaningful notice or control.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code persistently writes user-derived knowledge and behavioral profile data via update_user_profile and related knowledge-record APIs without any visible consent, notice, or gating in this interface. In the stated skill context of always-on monitoring and automatic extraction from arbitrary conversations, this creates a real privacy/security issue because users may be tracked and profiled unexpectedly across sessions.

Ssd 3

High
Confidence
99% confidence
Finding
The skill directs continuous monitoring of all user input and recording of extracted knowledge, behavior, and inferred profile data across conversations. This is a substantial privacy and data-governance risk because it normalizes broad collection from unrelated chats and can capture sensitive information far beyond the user's intended scope.

Ssd 3

High
Confidence
99% confidence
Finding
The trigger rules make extraction and logging near-universal for ordinary questions and chat, which means persistent profiling can occur from routine conversation. Because the threshold is extremely low, users have little practical ability to avoid collection except by never asking normal questions.

Ssd 3

High
Confidence
98% confidence
Finding
The skill explicitly says it will log preferences, behavior patterns, and profile information from casual conversation and simple commands. That broad behavioral surveillance can reveal interests, expertise, habits, and identity attributes that users did not knowingly consent to store.

Ssd 3

High
Confidence
99% confidence
Finding
The automated workflow persists extracted concepts, user profile data, and learning logs into local databases without requiring explicit user approval at the time of storage. This creates a direct path for silent retention of sensitive conversation-derived information and makes later review or deletion difficult.

Ssd 3

Medium
Confidence
94% confidence
Finding
The documented databases store inferred identity, behavior statistics, and logs derived from conversations, enabling long-term aggregation of user data. Even without external exfiltration, this level of retention increases privacy risk, potential misuse, and harm if local files are later accessed by others.

Ssd 3

High
Confidence
98% confidence
Finding
The setup tells the user to persist automatic loading in `MEMORY.md`, ensuring the monitoring behavior continues into future conversations. This creates durable, cross-session persistence for a surveillance-like feature and meaningfully increases the risk by making collection ongoing rather than contextual.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal