ClawHub

Aps Filesystem Agent

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed local APS knowledge-base helper whose file writes, indexing, Git commits, and memory retention fit its stated purpose, though users should treat the stored data as sensitive.

Install this only if you want the agent to maintain a local APS scheduling knowledge base. Keep aps_knowledge_base access-controlled, review pending proposals before confirmation, redact secrets or unnecessary personal data from source quotes and decision logs, use backups or Git history, and pin or vet ChromaDB if you use vector indexing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The skill expands from simple filesystem interaction into executing git subprocess commands. Even though arguments are passed as a list rather than shell=True, this still gives the agent command-execution capability and can cause unintended repository-wide changes, side effects, or abuse if the skill is triggered too broadly or operates on attacker-influenced content.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger conditions are so broad that the skill may activate for general APS decision-making, persistence, or exploratory tasks well beyond narrow filesystem access. Over-broad invocation increases the chance that an agent will unnecessarily access, retain, or modify sensitive local knowledge-base data in situations where simpler or safer behavior would suffice.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The helper mutates rule JSON files and then silently suppresses all exceptions while updating ChromaDB metadata, which can leave the filesystem and vector index in inconsistent states. In this skill context, the code operates on a local knowledge base used for scheduling decisions, so silent partial writes or malformed rule data can degrade integrity and cause incorrect downstream decisions without alerting the operator.

Ssd 3

Medium
Confidence
90% confidence
Finding
The skill explicitly instructs the agent to persist learned conversation content into long-term client memory and filesystem records. That creates a real data-retention risk: sensitive operational details, user-provided information, or confidential planning context may be stored indefinitely without minimization, classification, or consent controls.

Ssd 3

Medium
Confidence
95% confidence
Finding
The proposal flow stores verbatim source_quote text from conversations in proposal files. Verbatim excerpts can capture secrets, personal data, credentials, pricing, or other confidential context that does not need to be retained in raw form, increasing leakage and compliance risk.

Ssd 3

Medium
Confidence
91% confidence
Finding
The skill requires persisting decision summaries and session records after every scheduling session, which can accumulate sensitive operational history over time. Mandatory broad logging without minimization, retention limits, or access controls increases exposure if the filesystem is later accessed, indexed, or exfiltrated.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal