ClawHub

Sift

Security checks across malware telemetry and agentic risk

Overview

Sift appears to be a legitimate research skill, but it adds automatic daily self-updates and persistent research storage that users should review before installing.

Install only if you are comfortable with a research skill that stores local journals and extracted research data, sends selected extracted entities to another local skill intake, may use browsing/location/profile context for query rewriting, and creates a daily GitHub self-updater. Prefer disabling the cron updater or using manual updates, avoid sensitive research unless the retention and cross-skill sharing model is acceptable, and use limited-purpose search API keys.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (11)

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill advertises automatic daily self-updates from GitHub but does not clearly warn that this causes recurring network activity and remote code changes after installation. This creates a supply-chain and persistence risk, because future upstream compromise or repository changes could alter local behavior without a deliberate user action at update time.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill advertises automatic daily self-updates from GitHub but does not clearly warn that this causes recurring network activity and remote code changes after installation. This creates a supply-chain and persistence risk, because future upstream compromise or repository changes could alter local behavior without a deliberate user action at update time.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrases are extremely broad (for example, common requests like 'what is', 'summarize this', or 'search for'), which makes accidental invocation likely. In this skill, accidental invocation is not harmless because using the skill causes web access, persistent local logging, and cross-skill data emission, so an ordinary user request could unintentionally trigger side effects.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly persists sessions, entities, sources, and decisions to local JSONL files and writes Signal files into another skill's intake directory, but the description provides no user-facing warning or consent boundary. This creates a privacy and data-governance risk because normal research activity may silently leave durable local artifacts and propagate extracted content to other components.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill may read recent browsing context from another component to improve query rewriting, but there is no explicit privacy notice or permission model around that access. This can expose unrelated or sensitive browsing context to the skill and broaden the data available for storage, synthesis, and downstream signaling.

Missing User Warnings

High
Confidence
98% confidence
Finding
The self-update flow retrieves remote content from GitHub and overwrites local skill files, yet it runs silently and without integrity verification, review, or clear user warning. That creates a supply-chain and unauthorized code replacement risk: compromise of the repository, branch, or network path could replace the installed skill with malicious logic that inherits this skill's filesystem and scheduling capabilities.

Missing User Warnings

Low
Confidence
94% confidence
Finding
The skill explicitly instructs the agent to write a journal file to a fixed path under the user's home directory on every run, creating a filesystem side effect without any user-facing warning or consent gate. While the content appears to be operational logging rather than overtly malicious, mandatory writes can still violate least-privilege expectations, create privacy/compliance issues, and be abused if run metadata contains sensitive information.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly instructs query rewriting to use geolocation and user profile context without mentioning notice, consent, or minimization. This can silently incorporate sensitive location or profile-derived data into external searches, creating privacy leakage and potentially exposing user context to third-party providers.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill says that when a user provides a URL, the system should fetch it directly and extract content, but it does not require warning the user that an outbound request will be made. This can cause unintended network access, leak agent/IP metadata, and enable retrieval of untrusted or internal resources if URL handling is not constrained.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The manifest uses very broad trigger phrases such as 'what is', 'compare', and 'summarize this', which can cause the skill to activate for generic user requests outside its intended scope. In a skill that performs web lookups and writes to local storage, unintended invocation increases the chance of unnecessary external queries, data handling, and side effects without clear user intent.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The manifest states that the skill performs web research using external providers and has write access to multiple local directories, but it does not clearly warn users about outbound data transmission or persistent filesystem effects. This can lead to users unintentionally sending sensitive prompts to third-party search services or causing local data to be stored without informed consent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal