ClawHub

Pronoun Resolver

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This skill appears purpose-aligned, but it automatically intercepts prompts, sends prompt-derived content through Claude CLI calls, and stores prompt-derived history by default.

Install only if you are comfortable with every prompt being scanned, ambiguous prompts and correction checks being sent through local Claude CLI model calls, and prompt-derived resolution history being stored in a project ledger. Add the ledger to .gitignore, review or purge it periodically, and use the disable file in sensitive projects.

SkillSpector (13)

By NVIDIA

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill invokes a shell command and documents persistent ledger writes, but it declares no permissions, creating a transparency and governance gap. In an always-on prompt hook, undeclared shell, environment, and file-write capabilities increase the risk of hidden data handling or command-side effects without informed user approval.

Tp4

High
Category
MCP Tool Poisoning
Confidence
87% confidence
Finding
The documented behavior says the skill is always active when installed, yet it can be disabled, and the analysis indicates additional correction-tracking behavior not disclosed in the description. Behavior/description mismatches are dangerous because users and reviewers cannot accurately assess what data is processed, when the skill runs, or how project-specific state is updated.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The script includes the full project path in the JSON payload sent to the downstream resolver, which expands the resolver's visibility beyond the minimum data needed for pronoun disambiguation. In an always-active skill, exposing repository location metadata can unnecessarily leak sensitive environment details and can enable broader context inference or path-based data access in later stages.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The council path explicitly tells the secondary model to resolve pronouns using 'project context at {project_dir}', expanding scope beyond the user message and conversation context claimed by the skill. In an always-active skill, this can cause unintended disclosure or inference from sensitive repository contents, especially because project_dir is supplied from stdin and may point at arbitrary locations the hook can access.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly states that every resolution is logged to `.claude/pronoun-ledger.json`, including the original prompt and inferred referent, but does not present a clear privacy warning or consent mechanism. Because this skill is always-on and processes all user prompts, it can persist sensitive project details, secrets, filenames, and user intent in local storage without users realizing the retention implications.

Vague Triggers

High
Confidence
93% confidence
Finding
An always-on user-prompt-submit hook means every prompt is intercepted before model response, including potentially sensitive or security-relevant content. Broad activation magnifies the blast radius of any parsing error, privacy issue, prompt manipulation, or downstream command behavior because it affects all interactions by default.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill states that every message is scanned and ambiguous prompts may be sent through additional LLM stages, but it does not present this as a clear warning to users. This creates privacy and consent risk because prompt contents may be processed beyond the primary assistant path without explicit awareness, especially in an always-on hook.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The ledger stores prompt-derived resolution data persistently in the project directory, but the documentation does not clearly warn users about retention, sensitivity, or multi-user/project exposure. Persistent storage of inferred prompt context can leak confidential project information and create unintended long-term memory across sessions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script sends user-derived content to the external `claude` CLI for correction detection without any user-facing disclosure, and elsewhere in the same flow it also packages project metadata for the resolver. Because the skill is always active, this creates covert data egress from user prompts and local context to another model invocation, which is especially risky when prompts may contain secrets, proprietary code references, or sensitive project details.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The eval cases normalize extremely broad activators like "fix it", "update them", and "delete it" as expected inputs for an always-on interception skill. In this skill context, broad ambiguous phrases increase the chance the resolver silently binds a pronoun to the wrong file, symbol, or resource and causes unintended edits or destructive actions, especially for verbs like delete/update.

Vague Triggers

Medium
Confidence
88% confidence
Finding
Examples like "rename it" and "that's correct" are highly ambiguous and train or validate the skill to engage on ordinary conversational language without strong activation boundaries. Because the skill is always active, this makes unintended interception more likely and can distort user intent, including acting on a recently mentioned symbol or proposal when the user may only be acknowledging prior output.

Ssd 3

Medium
Confidence
95% confidence
Finding
The skill persistently logs user prompts, resolved referents, timestamps, confidence scores, and context signals in a plain JSON ledger. In the context of an always-active prompt interception skill, this creates a real data retention and leakage risk because sensitive prompts and inferred project context can accumulate on disk and may later be exposed through backups, accidental commits, shared workspaces, or local compromise.

Ssd 3

Medium
Confidence
88% confidence
Finding
The README says the skill watches follow-up messages for correction signals such as 'I meant X' and 'wrong file,' implying continued monitoring and analysis of subsequent user inputs beyond the initial prompt. This expands the volume of captured behavioral and contextual data, increasing privacy risk and making the ledger more sensitive because it may encode user mistakes, intent shifts, and project references over time.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal