ClawHub

Knowledge Router

Security checks across malware telemetry and agentic risk

Overview

This is a local knowledge-routing helper whose file reads and optional report output match its stated purpose, with privacy cautions for local notes.

Install only if you are comfortable with the agent inspecting local memory, skill reference, audit, and ~/self-improving note files. Use narrower --scope values when possible, keep secrets out of those files, and write --output reports only to paths you intend to create or overwrite.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill instructs the agent to read multiple repository files and to use a Python script that can also write output reports, but the skill metadata does not declare any permissions. This creates a capability/permission mismatch: an orchestrator or reviewer may treat the skill as low-risk while it actually performs file reads and possible file writes, reducing transparency and weakening policy enforcement.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The router is described as operating over workspace knowledge, but it also enumerates and previews files from `~/self-improving`, which expands its trust boundary beyond the current workspace. This can expose unrelated personal or sensitive notes to the routing process and to whoever receives the generated report, especially because previews are included automatically.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The `--output` parameter allows writing the generated report to any filesystem path without restriction. In an agent context, arbitrary file write capability can be abused to overwrite user files, drop content into sensitive locations, or create persistence/artifacts outside the expected skill output area.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
`preview_text` reads file contents and includes the first lines in memory for ranking, meaning sensitive material can be ingested and later surfaced in output without the user realizing that content previews are being collected. This is particularly risky because the script operates across multiple knowledge stores and does not distinguish sensitive from non-sensitive files.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Defining `SELF_IMPROVING` as `Path.home() / 'self-improving'` causes the skill to access data outside the workspace boundary with no explicit warning or opt-in. In a security-sensitive agent environment, undisclosed expansion of read scope is a real confidentiality concern even if the code is not overtly malicious.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal