ClawHub

Context Manager

Security checks across malware telemetry and agentic risk

Overview

This is a real personal knowledge-management skill, but it needs Review because it can permanently delete saved notes and encourages broad storage of sensitive personal and third-party context.

Install only if you are comfortable storing journals, imported messages, links, and distilled personal context in local files. Review what will be saved before using broad save or scan commands, avoid importing third-party or work conversations without permission, and do not run entropy reduction with --force unless you have backups and have reviewed every deletion candidate.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Granting Exec to a skill whose documented workflow only needs file organization and user-guided note processing creates unnecessary attack surface. If the skill or downstream prompts are ever manipulated, Exec could be used to run arbitrary local commands unrelated to journaling, turning a content-management tool into a system-impacting one.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
This script can permanently delete user journal and external notes when run with --force, based on subjective heuristics such as missing 'inner judgment', no graph connections, or age over 90 days. In a personal context-management skill, this is risky because normal but still valuable notes may be misclassified and destroyed without meaningful confirmation, backup, quarantine, or recovery controls.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The docstring frames the behavior as safe 'cleanup' that preserves core cognition, but the implementation supports irreversible deletion of markdown files. That mismatch is dangerous because users may trust the description and run the tool without realizing it can remove personal data based on weak, opinionated rules.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The README uses broad, natural-language activation examples such as requests to record thoughts, organize cognition, or save content. In an agent ecosystem, overly generic triggers can cause accidental invocation in normal conversation, which is risky here because the skill handles personal context and journaling data that may be sensitive.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README encourages saving external content from platforms like WeChat, Feishu, Xiaohongshu, Yuanbao, and local sources, but it does not describe consent, retention, redaction, or other privacy safeguards. Because this skill is specifically designed to collect and integrate personal context, omission of data-handling warnings increases the chance that users will ingest sensitive or third-party content without understanding the privacy consequences.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The activation description is broad and based on ordinary conversational themes and keywords, making accidental invocation plausible. In this skill, accidental triggering is more concerning because it can lead to persistent storage of sensitive reflections, creation of files, and possibly follow-on automation without the user intentionally choosing the skill.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger phrase '帮我保存这个' is extremely generic and likely to collide with normal conversation. Because this skill stores personal content and external material, an ambiguous trigger can cause unintentional collection and persistence of data the user did not mean to archive.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill encourages ingesting content from WeChat, Feishu, Xiaohongshu, Yuanbao, and local files, but does not clearly warn about privacy, retention, consent, or possible third-party confidentiality obligations. This is dangerous because users may import sensitive conversations, work documents, or personal data into long-term storage without understanding the exposure and persistence risks.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The automation section describes exports, syncing, folder scanning, bots, and webhooks without a clear warning about the privacy and system implications of continuous ingestion. That increases risk because background or semi-automatic collection can quietly expand the amount of sensitive data retained and can affect the local environment in ways users may not anticipate.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The example expects the skill to '自动打标存储' and '生成 journal 文件' without any visible requirement for user confirmation or warning that local files may be created or modified. In a context-management skill, silent persistence can expose sensitive personal reflections and create unintended data retention on the user's system.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This prompt describes accepting an external link, storing content, and creating connections without warning about possible network access, retrieval of third-party content, or privacy implications. If implemented literally, the skill could fetch remote data and persist it alongside personal notes, potentially leaking browsing intent or importing untrusted content into the user's knowledge base.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The prompt expects the system to '扫描所有笔记' and generate 'minimal-kernel.md' without disclosing the breadth of data access or requiring approval. Broad note scanning can expose highly sensitive personal context, and summarization into a new file can concentrate private information into a single artifact that is easier to misuse or exfiltrate.

Ssd 3

Medium
Confidence
95% confidence
Finding
This section explicitly instructs ingestion and persistence of chat records, exported conversations, and other external content, creating a durable personal data store. Even if intended as a productivity feature, it is dangerous because it normalizes collection of highly sensitive conversational data that may include credentials, private contacts, health details, or confidential work material.

Ssd 3

Medium
Confidence
93% confidence
Finding
The bridge-record design creates persistent derived summaries linking external information to the user's internal judgments and feelings. That makes the stored data more sensitive than raw notes alone, since it builds a structured profile of beliefs, reactions, and relationships that could be misused if exposed.

Ssd 3

Medium
Confidence
94% confidence
Finding
Ongoing export and synchronization workflows across platforms create a broad, compounding collection pipeline for personal and third-party data. In context, this is more dangerous because the skill's purpose is long-term accumulation and cross-linking, which amplifies surveillance, profiling, and accidental disclosure risks over time.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal