ClawHub

lossless-claw

Security checks across malware telemetry and agentic risk

Overview

This skill intentionally helps create local memory from conversation logs, and the privacy-sensitive retention is disclosed enough to allow installation with caution.

Install only if you want conversation logs distilled into persistent local memory. Before running the recommended command, inspect the referenced script, confirm the input file is intentional, and verify where short-term logs and long-term memories are stored and how to delete or correct them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly describes permanent retention of important conversation content and preservation of full short-term logs, but it does not warn users that their conversation data, identity details, and preferences may be retained beyond the current session. This creates a meaningful privacy and consent risk because users may disclose sensitive information without realizing it will be stored and distilled into persistent memory.

Ssd 3

Medium
Confidence
97% confidence
Finding
The skill's core workflow instructs reading session logs, extracting identity, preferences, tasks, and knowledge, preserving original content in short-term logs, and promoting high-value content to a long-term layer. In context, this is especially dangerous because the skill is specifically designed for memory consolidation, making systematic collection, retention, and possible later disclosure of sensitive personal data an inherent behavior rather than an incidental side effect.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal