ClawHub

Smart Cache

Security checks across malware telemetry and agentic risk

Overview

This cache skill is coherent and not malicious, but it needs review because it can retain prompts and responses, send text to embedding providers, and expose unauthenticated cache read/write/delete operations if HTTP mode is used.

Install only if you are comfortable with prompts and responses being stored locally. Prefer stdio mode, avoid HTTP mode unless it is bound to localhost and protected by your own access controls, and do not bind it to a public or shared interface. Use the local embedding provider or disable semantic embedding when prompts may contain secrets, customer data, proprietary content, or regulated information.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill is described as a local cache system, but this file adds an HTTP server that exposes cache access over the network. Even if bound to localhost by default, the host and port are configurable and there is no restriction preventing broader exposure, which expands the trust boundary beyond a local-only cache design.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The HTTP handler exposes cache query, store, stats, and clean operations without any authentication or authorization checks. An attacker who can reach the service can read cached responses, poison the cache by inserting attacker-controlled entries, or delete data, which is especially risky because caches may contain sensitive prompts or model outputs.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The semantic cache feature sends user prompts or prompt-derived text to external embedding services, but the documentation does not prominently warn that user content may be transmitted to third parties. In a caching skill, users may reasonably expect local-only processing, so this omission increases the chance of accidental privacy or compliance violations.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The cache persists raw user queries and model responses to a local SQLite database under the user's home directory, which can contain sensitive prompts, secrets, personal data, or proprietary content. In an AI assistant context this is materially risky because users may not realize their conversations are being retained on disk, increasing exposure through local compromise, backups, shared accounts, or later forensic access.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This code sends arbitrary input text to the OpenAI embeddings API over the network without any built-in notice, consent flow, or redaction step. In a caching/privacy-sensitive skill, users may reasonably expect local processing, so sensitive prompts, secrets, or personal data could be transmitted to a third party unexpectedly.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This implementation transmits text content to the DashScope embedding service without warning the user that their data leaves the local environment. Because this skill is described as a local intelligent cache, the mismatch between expected locality and actual remote transfer increases the privacy and compliance risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
HTTP mode permits remote cache-writing and cache-cleaning operations but provides no user-facing warning that data can be modified over the network. In the context of an AI assistant cache, this increases the chance of accidental unsafe deployment and cache poisoning or denial-of-service through unauthorized cleanup.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal