ClawHub

auto-wiki

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed local wiki-building workflow with some important operational risks, but the sensitive behaviors are mostly purpose-aligned and user-visible.

Install only if you want an agent to create and maintain a persistent local `.wiki/` knowledge base. Use explicit commands for ingest/lint/deep-dive, review any lint repairs before accepting them, avoid the optional external validator for sensitive internal domains, and be aware that generated `_report.html` loads third-party JavaScript from a CDN.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The lint workflow goes beyond passive diagnostics and authorizes state-changing actions such as index synchronization, broken-link repair, stub creation, and governance operations like merge/archive proposals. In an agentic setting, this increases the chance of unintended or user-unapproved modification of persistent knowledge stores, especially if mode routing or confirmation boundaries are weak.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The generated report imports `vis-network` from `https://unpkg.com`, so opening a local `_report.html` causes the browser to fetch active third-party JavaScript at view time. That creates an unnecessary supply-chain and privacy risk for a wiki-reporting tool: the remote script can change over time, leak access metadata, or execute arbitrary code in the context of the report page if the CDN or package is compromised.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger phrases for ingest are broad enough to match normal conversation such as 'organize this' or 'help me organize,' which can cause unintended activation of a mode that reads input, writes files, and updates persistent knowledge state. In this skill, accidental activation is more dangerous because ingest can create or modify local wiki content and establish long-lived memory across sessions.

Vague Triggers

Medium
Confidence
87% confidence
Finding
Query/lint phrases like 'check wiki' and 'clean up' are ambiguous and may activate scanning or modification workflows when the user intended ordinary discussion. In this skill context, lint can perform broad filesystem scans and automatic fixes, so ambiguous routing increases the chance of unintended reads, writes, or structural changes to stored knowledge.

Vague Triggers

Medium
Confidence
97% confidence
Finding
Deep-dive phrases such as 'level up' or 'fill gaps' are too generic for a workflow that can launch active search, ingest external material, and write to persistent storage. Although the document includes a confirmation step later in the pipeline, overly broad activation still risks initiating network-enabled research and presenting the user with potentially manipulative or confusing follow-on actions based on casual language.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documented build script automatically clears and rebuilds the SQLite index, including deleting all rows from existing tables, and the surrounding guidance says it may auto-execute after ingest. Even if the markdown pages remain the source of truth, this still performs destructive writes without an explicit confirmation or safety check at invocation time, which can cause unintended data loss of index state, race-condition issues, or disruption if run against the wrong directory or during concurrent use.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The document says the external FIBO validator is an 'optional enhancement layer for lint,' but it also says routing is automatic and provides no hard gating conditions beyond reachability and a meta.yaml declaration. In an agentic system, ambiguous activation rules can cause the validator to run in unintended contexts, sending internally compiled wiki content or user-derived ontology terms to an external endpoint without an explicit, narrow trigger, which creates unnecessary data exposure and unpredictable behavior.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal