ClawHub

X Grok to Obsidian

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do its stated export job, but it handles broad private Grok/X chat history and can leave raw captures in browser storage if a run is interrupted.

Install only if you are comfortable running a DevTools script while logged into X and exporting potentially broad Grok chat history. Use a private trusted machine/browser profile, store the JSON and Markdown in a protected location, avoid synced or shared folders for sensitive chats, and manually clear the xgrok_capture_checkpoint_v1 localStorage entry if the capture is interrupted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly instructs users to capture Grok/X conversation data at the browser-network level and notes that checkpoint state is stored in localStorage, but it does not clearly warn that the captured JSON and browser-stored checkpoints may contain sensitive personal content and metadata. This omission can lead users to handle, retain, or share exported data insecurely, increasing the risk of privacy exposure or accidental disclosure.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The --include-reasoning option exports thinking_trace content directly into Markdown files without any warning, redaction, or consent checkpoint. Reasoning traces can contain sensitive internal model output, user data, or analysis not intended for long-term storage, and this skill's purpose is to back up conversations into local notes, which increases the chance that sensitive material is retained, synced, or shared unintentionally.

Ssd 3

High
Confidence
75% confidence
Finding
This script captures full Grok conversation contents, metadata, and potentially auxiliary fields such as thinking traces and web results, then stores them in memory, localStorage checkpoints, and a downloadable JSON file. Even if intended as a backup/export tool, this creates a substantial confidentiality risk because highly sensitive chat history can persist locally in plain form and be exposed to anyone with access to the browser profile, shared machine, backups, or other local compromise.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal