ClawHub

Sequential Read

Security checks across malware telemetry and agentic risk

Overview

This is a coherent local reading workflow that stores selected text and reflections on disk, with no evidence of exfiltration or destructive behavior.

Install only if you are comfortable with the selected text and source-derived reflections being stored locally under memory/sequential_read. Avoid sensitive documents unless local retention is acceptable, delete session folders when finished if needed, and use generated session IDs rather than hand-crafted path-like IDs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill invokes Python scripts, reads source files and templates, and writes persistent session artifacts, but it declares no permissions or user-facing warning about those capabilities. This creates a transparency and consent gap: an agent may access local files and persist data beyond what a user reasonably expects from a 'read a file' skill.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The optional 'reader-mind' workflow expands the skill from processing a single provided prose file into maintaining cross-book persistent memory and rewriting prior context files. That broadens data collection and retention beyond the stated purpose, increasing privacy risk and the chance that unrelated or sensitive material is carried into future runs.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs autonomous session creation and persistent disk writes as part of normal execution without warning the user up front. Hidden persistence is risky because it can leave source-derived content, metadata, and intermediate reflections on disk even when the user may expect a transient read-only operation.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This optional workflow allows prior reader-mind files to be loaded into prompts and then revised on disk, but it does not warn that historical context may be read and overwritten. That can expose prior reading history to subsequent tasks and silently mutate long-lived files, compounding privacy and integrity risks over time.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill explicitly instructs the agent to write chunk files to temporary storage and persist them via session management without any user-facing disclosure or confirmation. Even though these writes are part of the skill's intended functionality, they create and store derived copies of user content and metadata on disk, which is a real integrity and privacy concern if the user does not understand that persistent files will be created.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill updates persistent session state and writes chunking notes into workspace memory, but it does not surface that it will modify durable session data. In this context, the behavior is operationally necessary, yet it still represents a genuine vulnerability pattern because silent state mutation can surprise users, overwrite prior state, and leave behind sensitive reading history or source-derived notes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to write a synthesis file into the workspace and update session state, but the markdown does not clearly disclose these side effects to the end user at execution time. This creates an integrity and transparency risk: invoking the skill can silently modify local state and mark sessions complete, which may overwrite expected workflow state or persist unintended content.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal