ClawHub

Launchthatbot Convex Backend

Security checks across malware telemetry and agentic risk

Overview

This skill performs sensitive Convex-backed secret and memory storage, but the behavior is disclosed, purpose-aligned, and user-controlled enough to remain benign.

Install only if you want this agent to use your Convex project as a backend for secrets, memory, and daily logs. Before migrating, confirm the target Convex deployment, review which .env keys will be copied, keep CONVEX_DEPLOY_KEY local and private, avoid pasting real deploy keys into shell history when possible, and use a dedicated Convex project if agents should not share memories or credentials.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill directs the agent to read a local .env file, copy secrets into a remote Convex backend, and then delete the local copies after confirmation. Even with a confirmation gate, this is security-sensitive behavior because it changes the system's trust boundary, can break dependent tooling that still expects local env vars, and increases exposure if the remote backend is misconfigured or shared across agents. The user-facing description does not prominently warn about these privacy, availability, and operational risks.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README instructs users to deploy using `CONVEX_DEPLOY_KEY=...` inline on the command line but does not include any guidance about secure handling of that credential. Inline secret usage can leak through shell history, process listings, copied logs, screenshots, or careless substitution with a real key, increasing the chance of credential exposure for the Convex backend.

Ssd 3

Medium
Confidence
90% confidence
Finding
The skill instructs the agent to persist user information, preferences, decisions, and daily session summaries into long-term cloud storage by default. Although framed as memory/logging functionality, default collection and retention of user context can capture sensitive personal or operational data without sufficient minimization, consent granularity, retention controls, or redaction safeguards, creating privacy and data-exposure risk if the backend is accessed by other agents or compromised.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal