ClawHub

Sentiment Analyzer

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent local sentiment tool, but its tracking feature stores customer message snippets in a shared temporary location with weak session scoping and cleanup controls.

Review before installing if you handle real customer conversations. Use the analyzer-only path for sensitive text, or modify the tracker to store only derived scores in a private directory with restrictive permissions, validated session IDs, and automatic retention cleanup.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script persists per-session conversation snippets and sentiment history to /tmp without any access control, retention policy, or demonstrated necessity beyond transient analysis. Because the skill processes customer-service text, this can expose sensitive customer content and inferred emotional state to other local users, later processes, or forensic recovery, making the storage behavior a real privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document directs storing full customer message text, sentiment labels, and timestamps in a predictable file under /tmp, which is typically intended for temporary shared storage and may be accessible to other local users or processes depending on system configuration. In a customer-support context this can expose sensitive conversational content and create unintended retention of personal data without safeguards, minimization, or privacy notice.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Session history is written to disk silently, with no user-facing disclosure or consent mechanism, despite containing message excerpts, timestamps, and sentiment scores. In a customer-support context, this creates an undisclosed collection of potentially sensitive conversational and behavioral data, increasing legal, compliance, and privacy exposure.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal