ClawHub

Random Thought

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-built for workspace reflection, but it needs Review because scheduled runs can broadly read local files, persist derived notes, and the documented corpus controls are not fully enforced by the helper scripts.

Install only in workspaces you are comfortable having repeatedly read by an agent. Before enabling cron, run it on a narrow directory, add strong exclusions for secrets and private notes, verify the script behavior matches your config, and review the history/output directory before syncing or sharing it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill explicitly instructs the system to write outputs and maintain state files, yet no permissions are declared to make those capabilities visible to users or policy systems. That hidden write capability increases risk because cron-driven execution can continuously create or modify files without an explicit trust boundary.

Tp4

High
Category
MCP Tool Poisoning
Confidence
79% confidence
Finding
The documented behavior presents a reflective writer/curator, but the described implementation also manages persistent history state and omits the actual reflection/curation logic from the concrete scripts. This mismatch is dangerous because users may authorize the skill for one purpose while it performs additional filesystem tracking and background operations they did not clearly consent to.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README explicitly describes autonomous reading of random workspace files and generation of written observations, but it does not warn that the selected files may contain sensitive source code, notes, or secrets and that reflections may reproduce or transform that content into new output files. In a cron-driven setting, this increases the chance of unintended data exposure because the behavior is continuous and unattended.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README recommends unattended cron execution and emphasizes isolated scheduled runs, but does not clearly warn users that the agent will autonomously scan workspace content and write files on a recurring basis. That omission is security-relevant because scheduled autonomous file processing can amplify accidental disclosure, especially when users assume the skill is low risk or passive.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill is designed to scan arbitrary workspace files and run repeatedly under cron, but the documentation does not prominently warn that it can continuously read sensitive project content and write derived observations. In a real workspace this can expose secrets, proprietary code, or private notes through generated reflections and digests, especially because automation reduces user oversight.

Credential Access

High
Category
Privilege Escalation
Content
"excludePatterns": [
      "node_modules", ".git", ".next", "dist", "build",
      "venv", "__pycache__", "*.png", "*.jpg", "*.gif",
      "*.mp3", "*.ogg", "*.pdf", "*.zip", "*.env",
      "*.pem", "*.key", "package-lock.json", "*.lock"
    ],
    "minFileSize": "100c",
Confidence
95% confidence
Finding
.env"

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal