ClawHub

Notnative

Security checks across malware telemetry and agentic risk

Overview

This is a coherent NotNative integration, but it automatically stores personal facts permanently and exposes broad MCP/Python capabilities without enough user controls.

Install only if you intentionally want NotNative to keep long-term memory and you trust the connected server. Prefer a local or authenticated TLS endpoint, avoid plain remote ws://, review or remove the automatic memory instructions, and treat run-python and generic MCP calls as powerful operations that can affect data or execute code in the NotNative environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (10)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The generic `call` command allows arbitrary invocation of any MCP tool exposed by the connected server, not just the documented note/calendar/memory operations. In this skill context, that significantly expands the attack surface because a user or upstream prompt can trigger unexpected privileged capabilities on a local or remote Notnative instance, bypassing the skill's intended constraints.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill instructs the assistant to permanently store personal information across conversations and to do so automatically, but it does not require informed user consent, minimization, or a retention policy. This is dangerous because it can lead to silent collection of sensitive personal data such as allergies, work context, and preferences, creating privacy, compliance, and trust risks.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill exposes powerful capabilities including note modification, task/event creation, web access, and Python execution, but does not pair them with safety guidance, confirmation requirements, or scope restrictions. In practice, this increases the risk of unintended data modification, unsafe code execution, or privacy leakage when the assistant follows the skill literally.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The installer appends an environment variable export to the user's ~/.bashrc without an explicit warning or opt-in. This creates persistent shell-state changes outside the skill directory, which can surprise users, affect future sessions, and normalize unsafe installer behavior even though the specific value written here is only a connection URL.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The script stores the supplied WebSocket endpoint in a local .config/env file without notifying the user that connection details will be persisted on disk. While not inherently malicious, silently saving remote connection information can expose sensitive internal hostnames or service endpoints to other local processes or future users of the account.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script exposes destructive operations such as note updates and memory deletion without confirmation, dry-run support, or any warning to the operator. In a skill with persistent memory and note access, accidental or prompt-induced execution can permanently alter or erase user data, making the context more dangerous than a transient utility.

Missing User Warnings

High
Confidence
97% confidence
Finding
The `run-python` command exposes direct code execution on the connected MCP server with no warning, restriction, or trust boundary enforcement. Given this skill can connect to local infrastructure and promotes broad assistant integration, prompt-driven or user-supplied code could lead to full remote code execution, data theft, or system compromise.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The client sends arbitrary tool parameters, including notes, memories, profile data, and code, over a WebSocket connection without any privacy notice, transport assurance, or disclosure that `NOTNATIVE_WS_URL` may point to a remote host. Because this skill is designed for persistent memory and sensitive personal context, silent transmission to a non-local or insecure endpoint increases the risk of data exposure.

Ssd 3

High
Confidence
99% confidence
Finding
The skill explicitly mandates permanent storage of user-shared facts across all conversations, without boundaries for consent, necessity, sensitivity, or retention. In this context, the danger is elevated because the skill is centered on persistent memory, so these instructions strongly encourage overcollection and long-term profiling of users.

Ssd 3

High
Confidence
99% confidence
Finding
The instructions specifically tell the assistant to immediately persist personal details including allergies, work context, and preferences. These categories can be sensitive or safety-relevant, and storing them automatically without user approval or minimization creates serious privacy exposure and potential misuse if the memory backend is accessed, synced, or compromised.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal