ClawHub

Wikisage

Security checks across malware telemetry and agentic risk

Overview

Wikisage is a disclosed agent-maintained local wiki skill with expected file writes and persistence, though users should treat the wiki and optional cloud embedding features as sensitive.

Install only if you want an agent to maintain a long-term local knowledge base. Keep WIKI_ROOT private and scoped through the filesystem MCP, avoid storing secrets or regulated customer data, review broad ingest/lint changes before applying them, and do not run embed.py or pipe lint summaries to chat/email/webhooks unless you are comfortable sending that information to those services.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (16)

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
Allowing `exec grep -rn` as a fallback introduces shell execution into a skill whose primary purpose is local wiki read/write. Shell fallback expands the attack surface: environment-variable manipulation, command-construction mistakes, or future extension of shell usage could let the agent read beyond intended files or execute unintended commands.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script transmits wiki page contents and user queries to AWS Bedrock for embeddings and stores full page content in remote OpenSearch, which contradicts the stated expectation of a long-lived local wiki. This creates a real data exfiltration and privacy boundary issue: users may believe data stays local while sensitive notes are sent to external managed services and retained remotely.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The query flow explicitly expands from local wiki lookup to optional external MCP sources and web search, which changes the skill from a local knowledge retriever into a network-capable information exfiltration path. If user prompts or wiki content contain sensitive internal terms, this design can leak them to third-party services without explicit consent or clear boundary checks.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill's stated purpose is a persistent local wiki, but the instructions add generalized external documentation and web search capabilities that are broader than necessary. This increases attack surface and can be abused to transmit internal project names, customer data, or proprietary questions to external systems under the guise of answering ordinary technical queries.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly recommends piping lint summaries into email, chat, and webhook endpoints, but it does not warn that summaries may contain wiki-derived sensitive metadata or operational details. In the context of a persistent knowledge base that may store client, project, or internal information, this creates a real risk of unintentional external disclosure.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger condition instructs the agent to consult and potentially rely on persistent wiki content for broad categories like customer, history, and account-related technical questions. In context, that increases the chance of automatically pulling sensitive retained data into responses or workflows without clear user consent or need-to-know checks.

Vague Triggers

Medium
Confidence
73% confidence
Finding
The instruction to ask whether valuable technical answers should be stored in the wiki is vague and can encourage indiscriminate retention of sensitive or proprietary information. This is less severe than direct exfiltration, but it normalizes unnecessary persistence and increases later disclosure risk.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The script will fetch arbitrary HTTP(S) URLs and fully read the response body into memory, then persist metadata about the source into a local cache, with no validation, allowlist, or explicit safety guard. In an agent skill context, this can enable unintended outbound network access, access to internal resources via SSRF if attacker-controlled URLs are accepted upstream, and memory exhaustion from very large responses.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The ingest instructions are triggered by broad conditions such as when a user provides a document/URL or when a response is merely considered 'valuable', which can overlap with ordinary conversation and cause unintended persistence actions. In a skill that performs wiki writes and cross-page edits, accidental activation can lead to unreviewed storage of sensitive, irrelevant, or low-quality content.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The workflow instructs the agent to create and edit multiple local wiki files, logs, indexes, and cross-references, but it does not require an explicit warning that persistent local data will be modified. Because this skill can touch 5-15 related pages in one ingest, the absence of a user-visible warning or confirmation increases the chance of surprising, irreversible, or privacy-impacting writes.

Vague Triggers

Medium
Confidence
91% confidence
Finding
Using the bare trigger phrase `lint` is overly broad and can cause unintended skill activation during unrelated user requests about code linting, markdown linting, or general cleanup. In an agentic system, accidental invocation can lead to the model reading or modifying the local wiki context when the user did not intend to operate on this skill.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger condition covers general technical questions, making activation much broader than a user explicitly asking to query the wiki. In context, this broad trigger is more dangerous because the workflow can then proceed to external MCP or web search, causing unintended data access or disclosure during routine conversations.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The file describes use of a specific local configuration path and outbound search behavior but provides no user-facing privacy warning before sending queries to external MCP services. This is risky because users may assume a local-only wiki lookup while their prompts, keywords, or internal identifiers are transmitted to configured third parties.

Ssd 3

Medium
Confidence
90% confidence
Finding
The feature description says log.md is an append-only timeline of every ingest, query, and lint operation, which implies durable retention of potentially sensitive prompts, source references, or query topics. In a long-lived wiki intended to hold valuable technical and possibly client knowledge, broad append-only logging increases data exposure and retention risk if the filesystem or repo is accessed by others.

Ssd 3

Medium
Confidence
89% confidence
Finding
The skill explicitly targets customer, history, and account information for local persistence and also maintains an operation log. In context, a persistent natural-language store plus logs can accumulate sensitive business data that may later be searched, reused in answers, or exposed to anyone with filesystem access.

Ssd 3

Medium
Confidence
91% confidence
Finding
The documented wiki structure includes `clients/` content and append-only logging of ingest titles, creating persistent records of potentially sensitive client/account material. This raises confidentiality risk because titles and summaries often reveal sensitive context even when the underlying documents are not directly exposed.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal