ClawHub

para-pkm

Security checks across malware telemetry and agentic risk

Overview

This is a coherent PARA knowledge-base helper, but its file-changing scripts are under-scoped and can overwrite or delete user-selected files beyond the documented project workflow.

Review before installing. Use this only on a backed-up knowledge base, run commands from the intended KB root, avoid absolute paths or ../ path traversal, and verify archive and output paths carefully. The main risk is accidental local file overwrite or deletion, not hidden network activity or credential theft.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill instructs the agent to run local Python scripts that create, validate, archive, and generate navigation for a knowledge base, which implies file read/write access. Because no permissions are explicitly declared, an agent platform may expose these capabilities without clear user-visible scoping or review, increasing the chance of unintended filesystem modification. In this context the capability is expected for the skill’s purpose, but the undeclared access is still a real security issue because it weakens least-privilege controls and transparency.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The function accepts any user-supplied path, resolves relative paths against kb_path, and never verifies that the source is under projects/active or even under the knowledge base root. It then copies the file into archives and deletes the original, which can destroy arbitrary accessible files if the script is invoked with an unexpected path such as ../notes.md or an absolute path.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The documentation states the script moves completed projects from projects/active to archives, but the implementation will process any supplied file path and then unlink the original. This mismatch creates a dangerous trust gap: users may run the tool expecting scoped behavior while it actually performs broader destructive actions.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The script deletes the source file immediately after writing the archive copy, with no confirmation prompt, dry-run mode, backup verification, or rollback handling. In a PKM tool where users may invoke commands on valuable notes, a mistaken path or partial write could lead to unintended data loss.

Missing User Warnings

Low
Confidence
92% confidence
Finding
The script writes directly to `kb_path / args.output` using `write_text()` without checking whether the destination file already exists or warning the user that it will be replaced. In this skill's context, that can unintentionally destroy or replace important navigation or documentation files, especially because the filename is user-controlled and the default target is a commonly meaningful file (`AGENTS.md`).

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal