ClawHub

Weave

Security checks across malware telemetry and agentic risk

Overview

Weave’s social-graph function is coherent, but it automatically creates a daily self-update job that can replace the installed skill from GitHub without per-update review.

Review before installing. This skill is meant to retain private information about people and relationships, and optional Google Contacts or Clay sync can read and write external contact data. The main issue is the automatic daily self-update job; install only if you are comfortable disabling or auditing that cron job and reviewing updates manually. Keep writeback disabled unless needed, approve syncs deliberately, and avoid storing sensitive personal details that do not need long-term retention.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (8)

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The README states that the skill automatically registers a daily cron job for self-updates, but it does not present this behavior as a prominent warning or require clear opt-in. Automatic code updates change the trusted codebase over time and can introduce supply-chain risk or unexpected behavior without the user's informed consent.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The README advertises bidirectional sync and writeback to Google Contacts and Clay, but does not provide a prominent warning that this involves exporting and modifying privacy-sensitive contact data in external systems. In a social-graph skill handling personal relationships and preferences, insufficient disclosure increases the risk of unintended data exposure, propagation, or compliance issues.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill defines a silent self-update mechanism that downloads code from a remote GitHub repository and overwrites the local skill files in place. This is dangerous because it enables unreviewed code changes to occur automatically, creating a supply-chain risk if the upstream repository, GitHub account, or network path is compromised.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The initialization flow registers a cron job that will invoke the updater automatically every day, causing ongoing code modification after first use without a strong consent boundary. In context, this is more dangerous because the skill handles sensitive personal/social-graph data, so any later malicious update could gain access to highly private information or alter sync behavior.

Missing User Warnings

Low
Confidence
78% confidence
Finding
The skill mandates persistent local journaling of run metadata and decision payloads to a predictable filesystem location without any explicit warning, opt-in, retention policy, or guidance on sensitive-data handling. In contexts where commands, reasoning summaries, hashes, or payload contents may reflect user data, this can create unintended local data exposure to other local users, backups, or forensic collection.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The sync-diff examples explicitly return sensitive personal data including email and phone numbers without any guidance on authorization, minimization, or safe handling. In an agent skill context, reusable query templates can normalize broad access to contact data and make inadvertent overexposure more likely during sync, debugging, or status workflows.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The manifest advertises multiple broad, natural-language trigger phrases such as 'add this person', 'relationship with', and 'prepare for meeting with' that are common in ordinary conversation. In a skill that stores and retrieves sensitive relationship and preference data, overbroad activation increases the chance of unintended invocation, causing accidental access to private data or unintended writes to a personal social graph.

Missing User Warnings

High
Confidence
95% confidence
Finding
This skill is explicitly designed to store queryable records about people, relationships, preferences, and shared experiences, and it supports syncing Google Contacts and CRM data. The manifest does not present a clear privacy warning, consent model, retention policy, or disclosure of the sensitivity of imported and stored personal data, which makes accidental over-collection, inappropriate recall, and privacy-invasive processing more likely.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal