ClawHub

File Organizer

Security checks across malware telemetry and agentic risk

Overview

This file organizer is not deceptive, but it can immediately move many user files in common folders without a preview or undo step.

Review carefully before installing. Use it only if you are comfortable with an agent-accessible tool that can reorganize files in common folders; test on a small folder first, and prefer the statistics/view mode before running it on important directories.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger keywords are very broad terms like '整理' and '分类', which commonly appear in ordinary conversation and unrelated tasks. This can cause accidental invocation of a file-manipulation skill, increasing the chance of unintended organizing or deduplication actions on user files.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill advertises organizing files and cleaning duplicates but provides no warning that these operations may move, rename, or remove user data. In this context, the missing warning is important because file deduplication and auto-classification can produce irreversible data loss, broken references, or misplaced files if classification is wrong.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill performs immediate file moves across an entire user-selected directory once triggered, with no preview, dry-run, or confirmation step before calling the reorganization routine. This is dangerous because it can unexpectedly alter a user's Desktop, Downloads, or arbitrary path, disrupting workflows, breaking expected file locations, and causing difficult-to-reverse changes even if no data is deleted.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal