ClawHub

Pages: Books that stay with you.

Security checks across malware telemetry and agentic risk

Overview

This is a local reading-log skill with disclosed file storage and contextual recall, but users should be aware of optional web lookups, reminders, and unpinned update instructions.

Install this if you want your agent to maintain a persistent local reading memory and use it in future conversations. Avoid storing sensitive reflections unless you are comfortable having them resurfaced, confirm before enabling HEARTBEAT or cron reminders, be cautious with Peeps cross-writes, and prefer reviewed or pinned updates instead of replacing the skill from GitHub main.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill claims to manage local book notes, but it also directs the agent to perform web searches and fetch remote content. That expands its trust and network boundary beyond the stated purpose, creating privacy risk and an opportunity for unreviewed external content to influence behavior.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The self-update instruction tells the agent to replace its own SKILL.md with content fetched from GitHub, which is a direct self-modification path from an external source. This can silently introduce new instructions, broaden permissions, or inject malicious behavior without local review.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill asks the agent to suggest or create HEARTBEAT.md entries and cron jobs, which extends it from note-taking into persistence and scheduled execution. That increases the chance of unwanted automation and repeated execution of skill behavior outside the user's immediate request.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The activation rules are broad enough to trigger on ordinary conversation about books, quotes, themes, or people, and even instruct the agent to surface relevant reads contextually without being asked. Over-broad activation can cause unintended file searches, note updates, or disclosure of personal reading history in contexts where the user did not request it.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs web searches for book metadata and cover images but does not require a clear user-facing notice that network requests may expose reading interests and related personal context. This creates avoidable privacy leakage and increases exposure to untrusted remote content.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal