ClawHub

Personaldatahub

Security checks across malware telemetry and agentic risk

Overview

This skill mostly fits its PersonalDataHub purpose, but it has under-disclosed credential creation and direct GitHub access behavior that users should review before installing.

Review before installing. Use this only if you intentionally want an agent to connect to PersonalDataHub with API-key access to personal data. Prefer explicit hubUrl and apiKey configuration, avoid automatic key creation, rotate any key printed in logs, and confirm whether direct GitHub access with the agent's own credentials is acceptable in your workspace.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (24)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill declares no permissions, yet its documented install and fallback behavior clearly require network access and reading local configuration from the user's home directory. This is a real transparency and trust issue because agents and users may authorize the skill under false assumptions about its capabilities, increasing the chance of unintended data access or outbound communications.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The documented purpose says all access is mediated through a policy-controlled gateway, but the behavior includes local config discovery, environment inspection, hub autodiscovery, and setup-time key creation that are not disclosed in the high-level description. That mismatch is dangerous because it widens the trust boundary beyond the stated gateway and could expose local secrets or connect to unintended services, especially in automated agent environments.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The declared config resolution includes auto-discovery that probes localhost and creates an API key, which goes beyond passive data access and introduces implicit network access and state-changing behavior. In an agent skill, this is dangerous because initialization may silently create credentials or connect to local services without explicit user consent, expanding the trust boundary beyond the documented pull/propose gateway.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
Exporting setup and credential-management helpers such as createApiKey, autoSetup, discoverHub, and readCredentials broadens the module's capabilities beyond the stated skill purpose. This increases the chance that agents or downstream code invoke sensitive credential or discovery functions unintentionally, enabling unauthorized local credential access or side effects not obvious from the manifest.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill goes beyond passive configuration by probing for a local hub and automatically creating a new API key at runtime. In a personal-data skill, silently minting credentials expands access without explicit user approval and can grant the agent unauthorized or unexpected reach into sensitive data systems.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The prompt explicitly instructs the agent to bypass PersonalDataHub for GitHub and use its own credentials directly, which expands access beyond the declared gateway and owner-mediated controls. This breaks the security boundary promised by the skill and could expose repositories or metadata not filtered, redacted, or authorized through PersonalDataHub.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The skill description and prompt claim that PersonalDataHub mediates access to personal data, but the same prompt states GitHub is accessed directly with the agent's own credentials. This inconsistency is dangerous because users and downstream agents may rely on the documented boundary and assume all accessed data is policy-filtered when GitHub data is not.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The prompt explicitly tells the agent to access GitHub directly with its own credentials instead of through the PersonalDataHub pull/propose control plane. That creates a policy bypass: repository scope, data filtering, logging, and owner-governed mediation no longer reliably apply, so the agent may access or act on data outside the owner's authorized boundary.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The prompt claims personal data access is mediated by PersonalDataHub, but later carves out GitHub as a direct-access exception. This contradiction is dangerous because it can mislead downstream users, auditors, or the model itself into assuming all data access is gateway-controlled when a significant channel is actually outside that boundary.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The setup API allows the skill to mint an API key for itself rather than relying only on pre-provisioned, user-approved credentials. That expands the skill's authority beyond its stated role of consuming already-gateway-filtered data, and if a local owner-accessible endpoint is reachable, the skill could silently bootstrap durable access without meaningful consent.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The skill includes logic to autonomously create an API key for itself, which expands its effective privileges beyond merely consuming gateway-filtered data and proposing actions. In this skill context, self-provisioning credentials is especially risky because it can silently establish durable access to a personal data hub and bypass expected user-mediated onboarding and consent boundaries.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The code comment assumes POST /api/keys is safe because it is 'owner-local', but the implementation accepts any hubUrl and performs the request without verifying that the target is actually localhost or otherwise trusted. That mismatch can lead to credential creation attempts against arbitrary endpoints, increasing the risk of misuse, SSRF-like local network access, or accidental key provisioning on an attacker-controlled service.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The prompt explicitly tells the agent to access GitHub using its own credentials instead of routing requests through PersonalDataHub, which defeats the stated access-control boundary. This creates a policy-bypass path where the agent may access repositories or scopes not filtered, logged, or constrained by the owner’s PersonalDataHub rules.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The file claims personal data access is mediated by PersonalDataHub, but later contradicts that guarantee by instructing the agent to bypass the pull path for GitHub. This mismatch is dangerous because users and downstream components may trust that all data access is policy-filtered and owner-controlled when, in fact, GitHub access can occur outside that boundary.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The interface documentation explicitly lists sensitive credential sources, including environment variables and a credentials file, but provides no warning that the skill may access them during configuration resolution. In an agent environment, undisclosed access to local secrets can surprise users and operators, and can facilitate overbroad secret exposure if the runtime grants filesystem or environment access.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The comments describe automatic hub probing and API key creation without warning that initialization may perform network discovery and mutate local or remote authentication state. Hidden probing and credential creation are risky in agent skills because they can trigger connections to unintended services, create persistent access tokens, and violate least surprise and least privilege expectations.

Missing User Warnings

High
Confidence
99% confidence
Finding
The code logs the newly created API key in plaintext, which can expose a live credential to log files, log aggregators, developers, support staff, or other tenants with log access. Because this skill brokers access to personal data, compromise of that key could directly enable unauthorized data access or outbound actions through the hub.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill performs network discovery and credential creation without explicit user confirmation, which is especially risky in a plugin that handles personal emails, issues, and outbound actions. The skill context makes this more dangerous because a successful auto-setup can silently connect the agent to sensitive personal-data infrastructure and enable actions under newly issued credentials.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Auto-setup combines discovery, health checking, and API key creation into a single flow that can establish persistent credentials with no explicit user-facing confirmation described here. In the context of a personal data skill, silent credential provisioning materially increases the chance of unauthorized long-term access to sensitive user data and actions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The declarations explicitly state that API key creation is performed over HTTP, which exposes a sensitive credential-management operation to interception or manipulation if transport is not strongly protected. Even on a local network or loopback-discovery model, using unauthenticated or non-TLS HTTP for issuing keys creates a serious risk of credential theft or endpoint spoofing.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Auto-setup creates an API key over HTTP with no visible confirmation or warning to the user, which undermines informed consent for granting access to sensitive personal data. In a personal-data skill, silent credential issuance is more dangerous because users may not realize the skill has established ongoing authenticated access to emails, issues, or other hub-managed content.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The plugin automatically probes localhost to discover a hub and then connects to whatever service responds, which can create an implicit trust boundary with no user approval. In a skill that exposes personal data access and outbound action proposal, connecting to an unintended local service could route sensitive requests or prompts to the wrong process, increasing risk of data exposure or unauthorized action mediation.

Credential Access

High
Category
Privilege Escalation
Content
/** Path to the credentials file written by `npx pdh init`. */
export const CREDENTIALS_PATH = join(homedir(), '.pdh', 'credentials.json');
/**
 * Read credentials from ~/.pdh/credentials.json.
 * Returns null if the file doesn't exist or is malformed.
 */
export function readCredentials() {
Confidence
88% confidence
Finding
credentials.json

Session Persistence

Medium
Category
Rogue Agent
Content
/**
 * Hub discovery and auto-setup utilities.
 *
 * Used by the skill to detect a running PersonalDataHub and create
 * an API key for itself. All communication is over HTTP — no dependency
 * on the main PersonalDataHub source.
 */
Confidence
84% confidence
Finding
create * an API key for itself. All communication is over HTTP — no dependency * on the main PersonalDataHub source. */ import { existsSync, readFileSync } from 'node:fs'; import { join } from 'nod

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal