ClawHub

ContextKeeper

Security checks across malware telemetry and agentic risk

Overview

ContextKeeper is a coherent local checkpoint tool, but its safety claims understate real shell execution, persistent local writes, and input-handling flaws that could affect files or later dashboard behavior.

Install only if you are comfortable with a local shell-based checkpoint helper that writes persistent project metadata under ~/.memory/contextkeeper and reads it later. Review or patch the scripts first for project-ID path validation, safe JSON generation for filenames and paths, and safer dashboard timestamp parsing; also treat the documented cron/session-hook ideas as opt-in future automation, not a default safe boundary.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The skill metadata and security section make strong safety claims such as 'no command execution' and 'validated inputs,' but the described behavior relies on numerous external binaries, reads repository state, and writes files/symlinks under the user's home directory. This mismatch is dangerous because agents or users may grant the skill more trust than warranted, leading to unintended filesystem changes, privacy leakage from repository metadata, or use in environments where external command execution was assumed impossible.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The implementation guide materially expands the skill from manual note-taking into automation via cron, session-end hooks, and helper-script execution, which contradicts the stated safety boundary of no background processes and no command execution. This creates a trust and capability mismatch: an agent or integrator could enable unattended file writes and lifecycle hooks under the assumption the skill is purely manual and safe.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The document says 'No Binary Required' and 'No Code Required' while also defining an executable shell script and command invocations. That inconsistency can mislead reviewers and users about the skill's real behavior, making them more likely to approve or run it without appropriate scrutiny of command execution and file-system side effects.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Git-aware repository inspection, branch discovery, and recent-file tracking exceed simple manual context preservation and introduce broader workspace introspection. Even if intended for convenience, these capabilities can expose sensitive repository metadata, reveal project structure, and normalize data collection beyond what users expect from a manual state-tracking skill.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
Claiming the skill is purely behavioral and 'not a binary' after specifying cron jobs, session hooks, file updates, and an executable helper script is a deceptive capability description even if not intentionally malicious. This increases the chance that operators will deploy the skill under weaker controls than they would apply to something that performs automated actions and writes local state.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger regexes are broad and match common conversational phrases such as 'pick up,' 'remind me,' 'status,' and 'finish it,' which can cause unintended activation. In the context of a skill that may read state, infer project context, or write checkpoints, accidental triggering can lead to unauthorized file changes, incorrect context loading, or leakage of project information in normal conversation.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guide describes automatic checkpoint writes on session end and state updates without any user-facing notice or consent flow for modifying local files. Silent persistence is risky because users may not realize the skill is creating or appending logs, which can leak sensitive task history, clutter repositories, or overwrite expected state during normal use.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal