ClawHub

Peeps: Your people, remembered.

Security checks across malware telemetry and agentic risk

Overview

This contact-management skill is not malicious, but it deserves review because it stores and resurfaces sensitive personal notes, searches the web by default, and can silently mutate local action history.

Install only if you are comfortable keeping personal relationship intelligence as local plaintext files and with the agent using web search for people by default. Before using it, consider changing the instructions to ask before external searches, image fetching, heartbeat/cron checks, cross-skill sharing, and action cleanup; avoid storing details you would not want resurfaced later.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The skill markets itself as local-contact management, but repeatedly instructs the agent to search the web for people and organizations and to fetch remote content. That expands the trust boundary beyond local files, can leak user intent about private contacts to external services, and creates a mismatch between user expectations and actual data handling.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The heartbeat/cron behavior causes the agent to periodically inspect personal contact files and proactively surface relationship details without a fresh user request. For a repository of sensitive personal and professional notes, that increases exposure risk and can disclose private context in inappropriate channels or moments.

Context-Inappropriate Capability

Low
Confidence
98% confidence
Finding
The self-update instruction tells the agent to fetch a remote SKILL.md from GitHub and replace the current file. This introduces remote code/instruction supply-chain risk because future behavior can be changed by external content without a trusted review step.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The README promotes storing sensitive personal relationship data in local markdown files without warning users about privacy risks, retention, accidental sync/backup exposure, or handling of third-party personal data. In the context of a people-intelligence skill, this omission materially increases the chance that users collect sensitive information without informed safeguards.

Vague Triggers

Medium
Confidence
91% confidence
Finding
Telling the agent to ask about anyone mentioned in conversation creates an overly broad trigger that can capture incidental third-party mentions unrelated to the user's intent. In a people-memory skill, this broad activation encourages unnecessary collection of personal data and increases privacy risk.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill instructs the agent to silently delete and modify entries in actions.md on read, including removing completed items and moving stale catch-ups. Silent data mutation and deletion of user-maintained records can destroy auditability, lose important context, and violate user expectations about persistence.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill mandates automatic web searching for a person before asking follow-up questions, without requiring consent or warning. Searching a person's name plus user-supplied context can expose sensitive relationship information or private inquiries to external services and contradict the local-storage framing.

Ssd 3

Medium
Confidence
95% confidence
Finding
The skill explicitly directs the agent to proactively surface personal relationship details from contact files in DMs or other channels. Because these files include private notes, family details, health issues, and sensitive topics, proactive resurfacing increases the chance of unintended disclosure beyond the original context of collection.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal