ClawHub

Personal Data Hub

Security checks across malware telemetry and agentic risk

Overview

This skill has a legitimate personal-data gateway purpose, but it needs review because it can automatically create and expose access keys, read local credentials, and bypass parts of its own gateway model.

Install only if you trust the PersonalDataHub local server and are comfortable giving this skill access to Gmail/GitHub-mediated personal data. Before enabling it, confirm how API keys are created, scoped, logged, rotated, and revoked; consider disabling automatic key creation and direct credential-file fallback; and verify how to stop the background service and remove ~/.pdh credentials.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (12)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The fallback path bypasses the declared high-level tools and tells the agent to read `~/.pdh/credentials.json` and perform raw authenticated HTTP requests. This undermines the safety framing of gateway-mediated access and expands the attack surface to local secret theft, arbitrary request construction, and policy bypass if the tool layer enforces additional controls.

Intent-Code Divergence

Medium
Confidence
74% confidence
Finding
The documentation states that outbound actions do not execute until approved, yet it advertises action types such as `send_email` alongside drafts and replies. Even if the backend stages everything, this ambiguity can cause integrators or agents to assume immediate-send is supported, increasing the risk of unintended outbound actions or unsafe implementations.

Intent-Code Divergence

Low
Confidence
72% confidence
Finding
Saying agents 'read credentials automatically' contradicts the claimed access-control gateway model because it normalizes direct secret consumption by the agent. In this context, that weakens the trust boundary: a compromised or over-permissioned agent can use the raw credential outside the intended tool interface.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill does more than consume user-supplied PersonalDataHub credentials: it actively probes for a local hub and creates a new API key automatically. That expands its authority from passive gateway use into credential provisioning, which can silently grant the agent access to personal data without an explicit user approval step in the skill configuration.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The code harvests credentials from environment variables and a local credentials file when plugin config is absent. While common for developer tooling, this gives the skill credential access beyond its declared role and can cause it to attach to sensitive personal-data services using ambient secrets the user did not intend this agent session to consume.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The prompt explicitly tells the agent to access GitHub using its own tools rather than through the PersonalDataHub pull/propose boundary. That creates a policy-bypass path where repository data may be accessed outside the owner's mediated controls, logging, filtering, and redaction model described elsewhere in the skill.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The prompt is internally contradictory: it says GitHub access is controlled by PersonalDataHub while also instructing the agent to bypass the hub and use direct GitHub tools. This ambiguity is dangerous because agents will often follow the operational instruction, leading to unauthorized access patterns and weakening the user's expectation that all data handling is mediated by the gateway.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The code performs privileged bootstrap behavior by creating a new API key for the skill, which goes beyond simply consuming filtered data through an existing access-control gateway. In this skill context, automatic credential minting expands the skill’s authority and creates a path to unauthorized or unreviewed access if a local hub is present or spoofed.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The skill probes common localhost endpoints to discover a hub and pairs that with unauthenticated key provisioning, effectively turning discovery into opportunistic credential acquisition. Given the skill’s stated purpose, this is unnecessary and dangerous because any compatible local service could be targeted without deliberate user configuration.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The docstring normalizes the lack of authentication on the key-creation endpoint as acceptable, even though the function mints credentials that grant ongoing access. This framing can encourage unsafe integration patterns and hide the fact that the code is exercising a privileged capability.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation instructs reading a local credential file containing an API key without an explicit warning or consent boundary around sensitive secret access. This is dangerous because it teaches the agent to harvest reusable credentials from disk, which can be repurposed for unauthorized data access or exfiltration beyond the intended workflow.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The autoSetup path creates an API key immediately after a health check, with no user-facing confirmation, warning, or opportunity to review requested access. In a personal-data skill, silent credential creation is particularly risky because it grants durable access to sensitive information and action surfaces.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal