ClawHub

Clawpage

Security checks across malware telemetry and agentic risk

Overview

This skill has a real sharing use case, but its default export path can place private agent reasoning, tool data, file paths, and other session details into public pages.

Install only if you deliberately want to publish agent conversations and are prepared to review the generated YAML carefully. Use messages-only export by default, avoid publishing reasoning/thinking, tool arguments, tool results, cwd paths, screenshots, or raw images unless you explicitly want them public, and redact secrets and personal data before pushing or opening a PR.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The instructions explicitly require extracting and publishing full reasoning traces, verbatim tool arguments/results, and embedded image data. For a skill whose purpose is to share conversations as public web pages, this creates a strong risk of exposing hidden chain-of-thought, secrets in tool inputs/outputs, credentials, tokens, file paths, API responses, or other sensitive internal artifacts well beyond what is necessary to publish a user-visible conversation.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The skill description is broad enough to activate for generic requests like exporting or documenting conversations, even when the user may not intend public sharing. In this context, over-broad invocation increases the chance the agent steers users into a workflow that prepares content for external publication, which can lead to unintended disclosure of sensitive chat history.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill is explicitly designed to turn conversations into public web pages, but it does not present an upfront privacy warning before beginning the workflow. Although later steps include redaction, users are not immediately warned that conversation contents may contain secrets, personal data, or confidential material and could become publicly accessible if published.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The preprocessing step extracts potentially sensitive session content into a separate plain-text intermediate file, increasing the number of at-rest copies of conversation data. In a skill specifically designed to publish/share chat sessions externally, silent creation of derived plaintext artifacts raises confidentiality risk if other local users, tools, backups, or later processes can access the temp directory.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The truncation step creates yet another derived file containing retained session text, which can leave sensitive remnants on disk without clear disclosure. Although this is a last-resort path and only keeps the last 200 lines, it still persists conversation data in an additional location and may mislead users about what was retained.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The template explicitly requires verbatim copying of all message text, tool arguments, and tool results, which can include secrets, personal data, filesystem paths, API responses, auth tokens, or other sensitive material. In the context of this skill, whose purpose is to publish conversations as public web pages, this creates a direct path to accidental public disclosure with no built-in redaction or review step.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The skill instructs appending to a persistent user configuration file in the home directory without calling out that this modifies durable local state. That can surprise users, create unwanted trust in future runs, and persist incorrect or attacker-influenced paths beyond the current task.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The file instructs the agent to copy session contents verbatim, including message text, tool arguments, tool results, and base64-encoded images, without any privacy screening, minimization, or consent checkpoint. In the context of a public-sharing skill, that materially increases the chance of leaking personal data, confidential prompts, access tokens, internal documents, or other sensitive session content to a public URL.

Ssd 3

Medium
Confidence
98% confidence
Finding
The default export behavior includes all process content, explicitly covering internal reasoning, tool calls, and event data unless the user opts out. For a skill whose purpose is to publish conversations externally, this creates a substantial risk of leaking sensitive internal traces, secrets in tool arguments or results, filesystem paths, and other metadata through a public page.

Ssd 3

Medium
Confidence
99% confidence
Finding
This section explicitly documents an 'Everything' mode that includes AI reasoning/thinking, tool calls, and session events in exported output. In the context of a public sharing skill, exposing such data is especially dangerous because reasoning traces and tool data often contain sensitive context, credentials, identifiers, or operational details that users do not expect to publish.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal