ClawHub

Project OS Organizer

Security checks across malware telemetry and agentic risk

Overview

This local project organizer is mostly purpose-aligned, but it deserves Review because broad chat routing, direct shell config loading, and opt-in remote/background execution give it more authority than the user may expect.

Install only if you are comfortable with a shell-based local project manager that can scan project folders and, when opted in, chat/session folders and GitHub context. Review any .project_os_env file before use, avoid changing the trusted repository variables, do not enable remote install, home discovery, chat indexing, or GitHub sync unless you understand the scope, and use extra care with natural-language commands that mutate project state such as merge or status changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Tainted flow: 'CONFIG_PATH' from os.environ.get (line 11, credential/environment) → pathlib.Path.write_text (file write)

Medium
Category
Data Flow
Content
"servers": [],
    }

    CONFIG_PATH.write_text(json.dumps(config, indent=2), encoding="utf-8")

    print(f"Wrote config: {CONFIG_PATH}")
    print(f"DB path: {DB_PATH}")
Confidence
90% confidence
Finding
CONFIG_PATH.write_text(json.dumps(config, indent=2), encoding="utf-8")

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
This file implements a generic background-process launcher that can execute arbitrary commands and persist them as daemons, which is broader than a typical project-organizer need. In an agent skill context, that capability is dangerous because it can be chained into long-lived arbitrary code execution, persistence, and stealthier post-compromise behavior if any upstream component passes attacker-controlled arguments.

Vague Triggers

High
Confidence
96% confidence
Finding
The skill defines its default action for every user message as routing the message into `scripts/project_router.sh`, which gives the skill an effectively global trigger. In practice, this can cause the skill to intercept unrelated conversations and invoke shell-based automation on broad natural-language input, increasing the chance of unintended data access, file mutation, or command execution paths.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The description markets the skill as a general, simple command surface for common project-management requests without tightly defined activation boundaries. That broad framing makes accidental invocation more likely, especially when combined with command routing and filesystem/session discovery behavior elsewhere in the skill.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script unconditionally sources a local .project_os_env file, which executes arbitrary shell code in the current process rather than merely loading key/value settings. If an attacker can place or modify that file in the skill directory, they can run commands whenever this helper is invoked, and the sourced values can also alter later behavior such as repository selection and install paths.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
This code can clone and then execute code from a remote repository path when auto-setup flags are enabled, but it does so without an explicit user-facing warning at the point of use. Although it restricts the URL to a trusted value by default, the trust boundary is weak because both repository variables can be influenced via the sourced environment file, and a reused existing clone is accepted as-is.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The merge command performs a potentially destructive state-changing operation immediately after receiving --keep and --drop values, with no confirmation prompt, dry-run, or safety interlock in this wrapper. In a chat-first project-management context, where commands may be triggered from natural-language flows or agent mediation, a mistaken target selection could silently merge the wrong projects and cause data loss or corruption that is hard to reverse.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal