ClawHub

Decision Topology

Security checks across malware telemetry and agentic risk

Overview

This skill persistently records local conversation-structure summaries, but the behavior is disclosed, purpose-aligned, locally scoped, and shows no exfiltration or destructive actions.

Install only if you want an always-on local record of how some conversations evolve. Avoid using it for highly sensitive discussions unless you are comfortable with local JSON, concept index, and markdown files being retained; set always:false or delete/relocate the trees directory for tighter control.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The script persists more than abstract topology: the Markdown companion file includes node summaries, reasoning, kill reasons, concepts, and related-tree links. Even with truncation, this broadens stored data beyond the stated 'local JSON tree' purpose and increases the chance of retaining sensitive conversational content in an additional, human-readable/indexable format.

Natural-Language Policy Violations

Medium
Confidence
92% confidence
Finding
The changelog explicitly notes `always: true` to enable always-on activation behavior, while only mentioning a privacy note that 'user consents by installing.' For a skill that records conversation structure continuously, default always-on behavior without clear runtime opt-in, granular control, or prominent consent UX creates a meaningful privacy and surveillance risk even if data is local-only.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README states the skill is active during every conversation by default and also generates persistent companion files, but it does not give a prominent privacy warning or explain the consequences of retaining potentially sensitive conversation content. This creates a real privacy and security risk because users may disclose secrets, personal data, or internal project details without realizing they are being stored locally and indexed for later retrieval.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The activation rules are broad enough that the skill may begin persistently recording conversation structure during ordinary brainstorming or problem-solving without a clear, moment-specific consent check. Because the skill is configured as always active and persists derived conversation data across sessions, overbroad triggering increases the chance of capturing sensitive topics the user did not expect to be stored.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The skill operationally instructs the agent to persist conversation-derived data, but the recording sections do not pair those actions with an explicit runtime warning or consent reminder. Even if only summaries are stored, persistent local logs of rejected ideas, pivots, and concepts can still reveal sensitive intent, priorities, and private context, especially when retained across sessions and linked across trees.

Ssd 3

Medium
Confidence
95% confidence
Finding
Always-on recording combined with concept indexing and auto-generated markdown files creates a data retention surface for all conversation-derived content, including sensitive prompts, decisions, and rejected ideas. Even without network access, persistent local storage increases exposure through disk compromise, backups, shared workspaces, or unintended semantic indexing of confidential material.

Ssd 3

Medium
Confidence
94% confidence
Finding
The usage section says the skill runs automatically and that the user can interact naturally, which implies passive logging across ordinary conversations rather than explicit invocation. In context, that makes the retention risk more serious because users may not recognize when logging is occurring, reducing meaningful consent and increasing the chance that sensitive material is captured.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal