ClawHub

ClawVault

Security checks across malware telemetry and agentic risk

Overview

ClawVault is a real sync-vault skill, but it handles sensitive agent data with unsafe setup, restore, and transport-security choices that users should review before installing.

Review carefully before installing. Treat synced vault contents as sensitive, do not rely on the encryption claims unless the publisher adds real payload encryption, install rclone yourself from a trusted source, avoid Git/SFTP providers until host key verification is fixed, keep backups before pull/profile restore, and inspect every package install command before approving it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (33)

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill declares powerful tools (`exec`, `file`) and documents shell-driven operations, yet the finding indicates permissions/capabilities are not explicitly and narrowly declared. In a sync/backup skill that handles identity, memory, packages, and credentials, undeclared shell/environment access increases the chance of hidden side effects, unauthorized command execution, and user surprise.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The description frames the skill as an encrypted portable vault, but the documented behavior goes substantially further: package installation, key management, cloud signup/billing, and profile restore/overwrite workflows. That mismatch is dangerous because users may consent to a benign-seeming backup feature while actually granting a broad management capability that can alter the system, transmit data, and affect billing or credentials.

Intent-Code Divergence

Medium
Confidence
72% confidence
Finding
The documentation is internally inconsistent: it says profiles are separate and never merge automatically, but also describes some content as a shared knowledge pool that is always synced across machines. For a vault handling identity and memory, ambiguity about isolation boundaries can lead users to place sensitive data in locations they believe are machine-local when it may be replicated elsewhere.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The provider automatically installs a dependency by fetching and executing a remote shell script from the network, which gives external code execution capabilities well beyond simple Dropbox sync. In a vault tool that handles identity, memory, and package data, this is especially dangerous because compromise during setup can fully compromise the host and the synced secrets.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The setup path automatically installs rclone by fetching and executing a remote installer script, including a privileged path on Linux. This creates a supply-chain and remote-code-execution risk because compromise of the download source, TLS interception, or unexpected installer behavior would lead to arbitrary code execution during routine vault setup.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The helper forces SSH with StrictHostKeyChecking=no, which disables host authenticity verification for every git fetch/push/clone. Because this provider syncs sensitive vault contents, a machine-in-the-middle or DNS/route hijack could impersonate the git server, receive pushed secrets, and supply attacker-controlled repository contents on pull.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The provider auto-installs rclone by downloading and executing a remote installer script, which gives arbitrary code execution to whatever content is served from that URL or intercepted in transit. In a storage-sync provider, package installation is not strictly part of the provider’s core function, so embedding this behavior materially expands the attack surface.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script auto-installs rclone by piping a remotely fetched installer into a shell, which gives the provider arbitrary code execution capability unrelated to basic WebDAV sync. In a vault-management context, this is especially risky because the script handles sensitive local data and may run with elevated privileges during setup.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script's documented role is package tracking/sync, but the install subcommand actively installs software and can invoke privileged package managers. In an agent-skill context, that broadens capability from inventory collection to system modification, increasing the risk of unintended or unauthorized changes if triggered by the user or another workflow.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The header comment states the script only scans system package managers and writes a requirements file, but the code also supports installing packages. This mismatch can mislead reviewers and users about the script's authority, making dangerous behavior more likely to be approved or executed without informed consent.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The signup handler reports success in the catch path even when the API request fails, while the UI otherwise presents account creation as immediate and real. This can mislead users into believing a cloud account and vault were provisioned when no backend state exists, causing trust violations, confusion, and possible unsafe follow-on actions based on a nonexistent account.

Intent-Code Divergence

Low
Confidence
89% confidence
Finding
The inline comment indicates the API may not be live yet, but the surrounding experience markets the service as available now and the fallback still shows a successful signup message. This discrepancy is deceptive and increases the risk that users disclose data or depend on a service that is not actually operational.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The README promotes automatic, invisible syncing of knowledge and memory to external storage, but it does not foreground the privacy and data-transmission risks of uploading potentially sensitive agent context to third-party providers. In an identity-vault skill, this is security-relevant because users may assume convenience features are safe by default and may sync sensitive files without understanding exposure, retention, or provider-side compromise risks.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger phrases (`sync`, `backup`, `restore`, `cloud`, `packages`, etc.) are broad and likely to activate during ordinary conversation. Because this skill can invoke shell commands and perform state-changing operations involving remote storage, accidental invocation could expose data, initiate provider setup, or steer the agent into sensitive workflows without sufficiently specific user intent.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill prominently advertises automatic, continuous, invisible syncing across machines without an equally prominent upfront warning about what data leaves the machine and when. In this context, the synced content includes identity, long-term memory, project context, package manifests, and optionally credentials/configuration, so silent or poorly disclosed transmission creates a serious privacy and security risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The `profile pull` command immediately invokes a restore operation and then logs success, but presents no confirmation prompt, dry-run summary, or explicit warning that local vault contents may be overwritten. In a tool whose purpose is syncing and restoring identity, knowledge, and memory across machines, this increases the chance of accidental destructive state loss from user error or a mistaken profile name.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The pull operation copies files from remote content directly into the local vault without prompting, versioning, integrity verification of the returned payload beyond transport, or conflict handling. If the remote account, API, or profile selection is wrong or compromised, important local identity and memory files can be silently overwritten, causing data loss or unauthorized state manipulation.

Missing User Warnings

High
Confidence
99% confidence
Finding
The script installs and executes code from a remote source without any interactive confirmation or integrity verification. That creates a direct path to arbitrary code execution if the remote script, TLS session, DNS resolution, or hosting infrastructure is compromised.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The script disables SSH host key verification with StrictHostKeyChecking=no for push operations, allowing a man-in-the-middle attacker or malicious server impersonator to intercept or redirect transfers without user confirmation. In a vault-sync skill that moves identity, memory, and package data across machines, this materially increases the risk of confidential data exposure and sync tampering.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The pull operation copies remote files directly over local vault files without an explicit prompt, preview, backup, or integrity check. If the remote endpoint is compromised, misconfigured, or unexpectedly points to another profile, local identity and memory state can be silently replaced, causing data loss or poisoning of the agent's persisted context.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The code executes a remote installer immediately at the point where the dependency is missing, without an explicit opt-in confirmation right before execution. Users invoking a normal provider setup may not expect arbitrary downloaded code to run, which makes accidental compromise or privilege misuse much more likely.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The pull flow copies remote files over local vault state without prompting, backup, conflict detection, or integrity checks. Because this skill syncs identity, memory, and configuration data across machines, a stale, malicious, or mistaken remote state could silently overwrite important local data and alter agent behavior.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The push path automatically stages and uploads identity, knowledge, and manifest files to a remote repository without a fresh user-facing warning or confirmation at push time. In a vault-sync skill, that behavior is expected, but it still creates real exfiltration risk because highly sensitive local data is transmitted to whatever remote was configured, including a malicious or misconfigured repository.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The pull flow copies remote repository content directly over local vault files such as identity/USER.md, MEMORY.md, requirements, and manifests without prompting or preserving backups. In this skill's context, remote state is treated as authoritative, so a compromised remote or mistaken branch can silently overwrite trusted local identity and memory data.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The pull operation copies remote files directly into the local vault and will overwrite existing files with no prompt, backup, version check, or conflict detection. In the context of a sync/backup identity vault, this can silently destroy local state or replace trusted identity, memory, or configuration data with stale or tampered content from the storage location.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal