ClawHub

Safe Encryption

Security checks across malware telemetry and agentic risk

Overview

The skill has a legitimate encryption purpose, but it asks agents to install a downloaded binary with sudo without asking and to handle sensitive keys and browser/network sharing workflows with weak user control.

Install only if you trust the SAFE project and are prepared to control the workflow manually. Do not allow automatic sudo installation; verify the binary and checksum yourself, prefer a user-local install, avoid browser fallback for highly sensitive plaintext or private keys, and confirm exactly which files, keys, recipients, and network destinations are used before encrypting, decrypting, or sharing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The skill instructs the agent to automatically install a binary and move it into system paths, potentially with sudo, without user confirmation. That exceeds the minimum capability needed for an encryption helper and creates a supply-chain and unauthorized system-modification risk if the binary or download path is compromised.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill greatly broadens its scope into browser automation, WebRTC, GitHub/Gist transport, public posting, and agent messaging. This expansion increases attack surface and encourages data movement across external services that are not necessary for a basic encryption skill, making misuse or accidental disclosure more likely.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The documentation says no data leaves the browser, but later features explicitly fetch remote content, GitHub keys, URLs, sharing links, Gists, and WebRTC sessions. This is misleading security guidance that may cause users or agents to handle sensitive material under false assumptions about network exposure.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill directs automatic installation with system modification and privileged moves without a clear upfront warning or consent step. That violates safe execution expectations for an encryption helper and could lead to unauthorized host changes or execution of an untrusted binary.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Telling the agent to encrypt/decrypt immediately without confirmation is risky because these operations often involve sensitive data, keys, overwriting outputs, or unintended disclosure destinations. In security-sensitive contexts, removing confirmation increases the chance of accidental exposure or destructive handling.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The browser fallback encourages handling plaintext, ciphertext, and keys in a web session without prominently warning about browser risks, extension exposure, clipboard leakage, or accidental network interactions. Users may assume this is equivalent to a local CLI workflow when it is not.

Missing User Warnings

Low
Confidence
76% confidence
Finding
Fetching recipients from GitHub reveals queried usernames and timing metadata to GitHub and intermediaries. While expected for the feature, the lack of prominent disclosure can surprise users who may believe recipient resolution is fully local.

Ssd 3

Medium
Confidence
90% confidence
Finding
The documentation normalizes sharing encrypted payloads and operational instructions through public channels, which can encourage unsafe handling patterns and broaden exposure of metadata, reply keys, and sensitive operational context. Even when ciphertext is protected, public dissemination increases persistence and discoverability risks.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal