ClawHub

项目中枢 / Project Nerve

Security checks across malware telemetry and agentic risk

Overview

This skill coherently manages project tasks across connected services, with sensitive access mostly disclosed and local persistence aligned to its features.

Install only if you are comfortable granting the configured project-management tokens permission to read and modify tasks. Use least-privilege tokens, point Obsidian at a task-specific vault or folder when possible, specify the target platform before creating important tasks, and periodically reset local learning/cache data if it may contain sensitive project information.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The module persists learning records containing user corrections, error messages, platform names, actions, and other contextual data to disk, but this file shows no consent flow, disclosure, minimization, retention limit, or redaction. In a project-management aggregator, those fields can easily contain sensitive business metadata, personal information, or secrets accidentally embedded in messages, creating a privacy and local data-exposure risk if the host is shared or compromised.

External Transmission

Medium
Category
Data Exfiltration
Content
| 获取看板卡片 | GET | `https://api.trello.com/1/boards/{boardId}/cards?key={key}&token={token}` |
| 创建卡片 | POST | `https://api.trello.com/1/cards?key={key}&token={token}` |
| 更新卡片 | PUT | `https://api.trello.com/1/cards/{cardId}?key={key}&token={token}` |
| 添加评论 | POST | `https://api.trello.com/1/cards/{cardId}/actions/comments?key={key}&token={token}&text={text}` |

**认证方式**: Query 参数传递 `key` 和 `token`。
Confidence
88% confidence
Finding
https://api.trello.com/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal