ClawHub
Back to skill

Security audit

personal-context-manager

Security checks across malware telemetry and agentic risk

Overview

This is a local personal knowledge-management skill with expected note storage and a scoped cleanup script, with privacy and deletion risks users should understand.

Install only if you are comfortable storing personal reflections and imported content in local files. Avoid saving secrets or private third-party/work material without permission, use explicit commands, run the entropy cleanup in dry-run mode first, and back up notes before any --force deletion.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (20)

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The skill is presented as a personal context-management helper, but the documented behavior goes further into filesystem scanning, automated file creation, retention analysis, and cleanup/deletion workflows. That mismatch is dangerous because users may consent to note-taking without realizing the skill can inspect local content, classify it as low value, and potentially remove files, increasing risk of privacy loss and unintended data destruction.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Granting `Exec` to a skill whose primary purpose is journaling and knowledge organization unnecessarily expands the attack surface. If invoked in an unsafe implementation, arbitrary command execution could be used to access unrelated files, run automation, or alter the system beyond the user's expected note-management scope.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The documentation expands the skill into webhook, bot, API export, timed sync, and folder-monitoring automation, which materially increases data-ingestion and persistence scope. Even if presented as optional integrations, these hooks can pull in sensitive personal conversations and files from multiple sources without sufficient security boundaries or consent language.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
This script goes beyond passive context management and performs bulk classification of personal notes using weak heuristics, then prepares them for deletion. In a journaling and cognition-management skill, automated judgments about 'low value' content are especially risky because they can erase meaningful personal history, reflection, or knowledge that the heuristic fails to recognize.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code permanently deletes journal and external knowledge files with Path.unlink() when --force is provided, with no recycle bin, backup, integrity check, or confirmation prompt. Because the data is personal and likely irreplaceable, accidental or misguided execution can cause immediate and unrecoverable loss of user content.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The documentation frames the tool as 'cleaning' low-value content and preserving core cognition, but the implementation can remove entire files. That mismatch is dangerous because users may consent to a mild maintenance action while the script actually performs destructive operations, increasing the chance of uninformed data loss.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The example trigger phrases are broad, natural-language requests such as '帮我记录今天的触动事' and similar generic prompts, which could overlap with ordinary conversation and cause the skill to activate unintentionally. In a context-management skill that stores personal reflections or content, accidental invocation can lead to unexpected collection, persistence, or processing of sensitive personal data.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README advertises saving external content from platforms like WeChat, Feishu, Xiaohongshu, Yuanbao, and local sources without any privacy notice, consent guidance, retention policy, or handling restrictions. Because this skill centers on personal context and journaling, users may ingest highly sensitive or third-party content, creating meaningful privacy, confidentiality, and compliance risk if data is stored or shared improperly.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases are broad, natural-language expressions that could easily occur in ordinary conversation, causing accidental invocation. Because the skill can create files, store sensitive reflections, and potentially perform cleanup actions, overbroad triggering materially raises the chance of unintended data handling.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The phrase '帮我保存这个' is a common everyday utterance and can ambiguously refer to many contexts, making accidental activation plausible. In this skill, such activation could result in persistent storage of content the user did not intend to archive or classify.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill encourages importing conversations and external content from platforms like WeChat, Feishu, Xiaohongshu, and local files, but provides no privacy warning or consent model. This is dangerous because users may transfer highly sensitive personal, workplace, or third-party data into persistent local storage without understanding retention, exposure, or sharing risks.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The initialization flow silently creates multiple directories and establishes persistent local storage as a prerequisite step, but the user-facing description does not foreground that behavior. Hidden or under-disclosed file creation is risky because it changes the local environment and may store sensitive material without informed consent.

Natural-Language Policy Violations

Medium
Confidence
88% confidence
Finding
The skill description is only in Chinese and provides no indication that language selection is based on user preference or consent. This can cause users to invoke or rely on a skill they cannot understand, weakening informed consent and increasing the chance of misuse, especially for a context-management skill that handles personal reflections and journal-like data.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The observation notes that a vague request like '帮我管理一下知识' may trigger the skill purely because it matches a broad keyword. In a context-management skill that can store, organize, and possibly reshape personal knowledge, overly broad activation can cause unintended handling of user content, incorrect tool execution, or privacy-impacting actions without clear user intent.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The prompt set encourages activation from broad, natural-language phrases such as requests to manage context, record reflections, or organize knowledge without documenting tight boundaries or disambiguation rules. In an agent setting, this can cause over-triggering on ordinary conversation, leading to unintended note capture, storage, or follow-on actions on user content the user did not clearly consent to process in this way.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The example '帮我管理一下知识' is intentionally vague, yet the expected behavior is to enter a clarification flow tied to this skill, which demonstrates that very general wording is sufficient to invoke the skill. This increases the chance of accidental activation and unauthorized processing of personal knowledge artifacts, especially because other test cases include scanning all notes and generating derived files.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document explicitly instructs initialization of a local directory structure and subsequent storage of user journal, external content, and cognitive connections, but it does not mention obtaining user consent, warning about persistence, or clarifying where data will be written. In a skill that manages personal context and journaling, this creates a real privacy and safety risk because sensitive personal information may be silently persisted to disk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The example workflow describes saving externally sourced content and derived 'connections' to disk without any warning about retention, storage location, or sensitivity of the saved material. Because this skill is specifically designed to collect personal reflections and knowledge links, the context makes silent persistence more dangerous: it can accumulate sensitive behavioral, intellectual, or personal data over time without informed consent.

Ssd 3

Medium
Confidence
91% confidence
Finding
The skill explicitly directs long-term retention of user-provided personal content, external materials, and chat-derived records in persistent files. Persistent storage of reflective notes and imported conversations increases exposure if the workspace is synced, shared, indexed, or later accessed by other tools or users.

Ssd 3

Medium
Confidence
88% confidence
Finding
The skill repeatedly asks for and stores the user's judgments, feelings, and diary-like reflections, which are highly sensitive personal data. Even absent malicious intent, this creates privacy and profiling risk because intimate cognitive and emotional patterns are preserved in structured files over time.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.