TinkerClaw ChatGPT Exporter

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says by exporting ChatGPT history, but it handles very sensitive conversation data and access tokens with too little scoping or warning.

Review carefully before installing. Only run this if you intentionally want a plaintext local copy of your ChatGPT history, including potentially sensitive prompts, responses, IDs, timestamps, and project conversations. Prefer a private output directory, avoid synced/shared folders, and do not pass access tokens on the command line.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill advertises an export function that inherently touches highly sensitive user conversation history, yet it declares no permissions while static analysis indicates network and shell capabilities. That mismatch prevents informed consent and increases the risk of silent exfiltration, credential harvesting, or unsafe local command execution under the guise of a simple export.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 94% confidence
Finding: The skill description promises an instant, complete export, but the analyzed behavior includes access-token retrieval, filesystem writes, shell/browser relay workflows, and incomplete coverage of projects and raw conversation content. This is dangerous because users may consent to a simple backup while the skill performs much more sensitive actions and may give them a false sense of completeness about what was exported.

Vague Triggers

Medium

Confidence: 77% confidence
Finding: The invocation guidance is so broad that it encourages users to 'install' and 'run' the skill without clear boundaries on data scope, destination, required tokens, or side effects. For a tool handling full ChatGPT history, vague instructions raise the chance of unsafe execution, accidental over-collection, or exposure of sensitive conversations to unintended locations or workflows.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: A skill designed to export all conversations handles extremely sensitive personal, business, and authentication-adjacent data, yet the description omits any warning about confidentiality, local storage risk, or downstream sharing. In this context, the absence of a warning is materially dangerous because users may run it without understanding that it can create durable copies of sensitive history on disk or move them through other tooling.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The script is explicitly designed to export all ChatGPT conversations, including full message contents, timestamps, and metadata, into a local JSON file. Even though the behavior is the stated purpose of the tool, there is no meaningful upfront consent or sensitive-data warning before bulk collection and download, which increases the risk of users unintentionally storing highly sensitive data on disk.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The script writes full conversation content, timestamps, IDs, and metadata to local files without an explicit consent prompt or strong warning that sensitive data will be persisted on disk. In an agent context, users may trigger this action conversationally without realizing private prompts, secrets, or regulated data will be stored in plaintext files that other local users, backups, or synced folders could access.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The embedded browser-side JavaScript uses authenticated requests with browser credentials to enumerate and retrieve the user's ChatGPT conversations, but the code provides no explicit privacy disclosure at the point of access. Because this runs through a browser relay in an agent skill, it can silently access highly sensitive account data under the user's session, increasing the risk of over-collection beyond what the user expected from a natural-language command.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The script writes full ChatGPT conversation data, including content, timestamps, IDs, and metadata, to local files under a predictable directory without any warning, confirmation, or restrictive permissions. Because exported chats may contain secrets, personal data, or proprietary information, silent disk persistence increases the chance of accidental disclosure through backups, shared home directories, malware, or later exfiltration.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: Passing the access token as a command-line argument exposes it to other local users and monitoring tools via process listings, shell history, audit logs, and job-control tooling. Since this token grants access to the user's conversations, disclosure can directly enable unauthorized export of sensitive data.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal