ClawHub

Creativity

Security checks across malware telemetry and agentic risk

Overview

This creativity skill stores local taste and feedback notes to personalize future creative work, with no evidence of unsafe execution or data exfiltration.

Install this if you want the assistant to remember creative tastes and feedback across sessions. Avoid putting sensitive personal information into creative feedback, and review or clear preferences.md if you do not want those notes retained.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs the agent to update a persistent preferences file after each creative task, but it never tells the user that their reactions, tastes, and behavioral signals may be stored across sessions. This creates undisclosed profiling and persistence of user preference data, which can violate user expectations and privacy requirements even if the stored data seems low sensitivity.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The learning workflow says to record user reactions in preferences.md as part of normal operation, which means feedback and choice patterns are being durably logged without notice. That turns ordinary conversational feedback into silent profile building, increasing privacy risk and the chance of misuse, overcollection, or retention beyond what the user intended.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The calibration section describes inferring patterns from prior interactions and continuing to adapt based on those observations, but it does not inform the user that an ongoing taste model is being built. In a creativity skill, this context makes the behavior seem helpful and low-risk, yet it still constitutes undisclosed behavioral profiling and can normalize hidden persistence of user attributes.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal