ClawHub

Inventory

Security checks across malware telemetry and agentic risk

Overview

This skill is a local home-inventory organizer, with sensitive recordkeeping that fits its stated purpose.

Install only if you are comfortable keeping a local record of valuables, storage locations, serial numbers, receipts, and photos. Before using it, choose where the inventory folder should live, avoid unintended cloud sharing, and confirm before saving high-value or identifying details.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger 'User mentions owning something valuable → offer to catalog' is broad enough to match ordinary conversation and may cause the skill to activate when the user did not explicitly request inventory creation. Because this skill encourages collecting sensitive household data such as valuables, locations, serial numbers, and receipts, unintended invocation increases privacy and physical-security risk beyond a normal organizational skill.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill is designed to collect highly sensitive household inventory information, including item values, precise storage locations, serial numbers, warranty documents, and receipts, but the description provides no warning about the sensitivity of this data. Storing such information in a local workspace without clear user notice can expose users to privacy harm, theft targeting, fraud, or insurance-document abuse if the data is accessed by other local users, malware, backups, or sync services.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal