ClawHub

Project Manager

Security checks across malware telemetry and agentic risk

Overview

This is a local project-memory skill rather than malware, but it needs review because it can persist and periodically scan conversation-derived project data with inconsistent consent boundaries.

Install only if you want an agent to maintain durable local project records. Use explicit project commands, require confirmation before writes, and avoid enabling session sync, risk scans, dialogue logs, cron checks, or MemPalace/full-transcript archival unless you are comfortable with conversation summaries or checkpoints being stored locally or in that external system.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (14)

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The document says session sync is opt-in, but other workflow sections instruct automatic registration on new/resumed projects. That contradiction can cause background monitoring and file updates to occur without a clear user request, undermining consent and making unintended persistence of conversation data more likely.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The skill claims all operations require user confirmation, but many later steps describe automatic creation, updating, scanning, and logging behaviors. In a stateful file-management skill, such contradictions are dangerous because the agent may resolve ambiguity in favor of writing or archiving user content without meaningful consent.

Vague Triggers

High
Confidence
91% confidence
Finding
Saying the skill uses no fixed keywords and infers actions from broad conversational context creates an overly permissive activation model. In an agent setting, this can cause unintended project creation, state switching, or persistence based on incidental text, increasing the risk of unauthorized state changes and privacy-impacting data capture.

Vague Triggers

High
Confidence
90% confidence
Finding
Repeating a context-inferred activation model without scope constraints reinforces that the skill may trigger on ambiguous dialogue instead of explicit user intent. In a persistence-oriented skill, that makes accidental writes, wrong-project association, and cross-topic capture more likely.

Vague Triggers

Medium
Confidence
88% confidence
Finding
Persistent session scanning described as continuing after a single activation lacks clear limits on duration, scope, and shutdown conditions. That broad persistence can lead to silent monitoring of unrelated later conversations and unintended recording of sensitive material.

Vague Triggers

Medium
Confidence
89% confidence
Finding
Automatic periodic scanning of conversations with no stated exclusions or scope limits is risky because it normalizes passive monitoring of all new dialogue. In a skill designed to persist state, this can sweep unrelated or sensitive content into project records without clear user intent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README describes ongoing scanning and recording of conversations but does not clearly warn users that conversation-derived content may be automatically persisted. That omission creates a privacy and data-governance risk because users may disclose sensitive information without realizing it will be stored in project files.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The workflow explicitly includes auto-scanning conversations to capture topics, yet the README does not warn that this may automatically persist content derived from user dialogue. In practice, that can lead to unanticipated storage of confidential project details, personal data, or unrelated chat content.

Vague Triggers

High
Confidence
95% confidence
Finding
The trigger phrases include common conversational language like '继续吧', '记一下', and '明天继续', which can easily appear in ordinary chat. In a skill that reads, creates, updates, archives, and scans project files, overly broad activation materially raises the risk of unintended execution and silent persistence of user content.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The intent-recognition rules allow activation from inferred context, recent activity, and vague references like '上次那个'. That ambiguity can make the agent attach new conversation content to the wrong project or initiate state-management behavior without clear authorization, risking data misfiling and privacy leakage across projects.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill describes storing conversation-derived content in local memory files and recommends preserving full conversations in an external system, but the top-level description does not provide a clear upfront privacy notice. Users may invoke a project-management feature without understanding that their discussions can be archived and made retrievable later.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger phrase "甘特图" is broad enough to appear in normal project-related conversation without the user intending to invoke the skill. In a stateful project-management skill, accidental activation can cause unintended reads or writes to local project state files, making this a real invocation-safety issue even though the skill declares no network access and limited filesystem scope.

Ssd 3

Medium
Confidence
94% confidence
Finding
The conversation logging feature explicitly preserves project discussions, decision history, and recommends archiving complete conversation transcripts in retrievable storage. Even though it is described as opt-in, this materially increases exposure of sensitive user content because it centralizes and extends retention of potentially confidential discussions.

Ssd 3

Medium
Confidence
91% confidence
Finding
The session sync workflow instructs periodic review of all new conversation content and recording of detected decisions, tasks, and summaries into project and memory files. Continuous monitoring and extraction of conversation content create a meaningful privacy and consent risk, especially given the document's conflicting guidance about when sync is automatically registered.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal