ClawHub

Devlog

Security checks across malware telemetry and agentic risk

Overview

This skill is privacy-sensitive because it reads AI coding transcripts and can optionally publish a blog, but those behaviors are disclosed and aligned with its devlog purpose.

Install only if you are comfortable letting the skill inspect local AI coding-session transcripts. Use a specific project and time range, review the session index and generated Markdown carefully, redact secrets, private paths, customer data, proprietary code details, and internal decisions, and provide Hashnode credentials only when you intentionally want the post published online.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill instructs the agent to read files, inspect environment variables, and execute shell scripts, but the manifest shown does not declare permissions for those capabilities. This creates a transparency and consent problem: users may invoke what appears to be a simple writing skill without realizing it can scan local session stores and run local scripts.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The description frames the skill as a transcript-to-blog generator, but the workflow also discovers local session data across multiple platforms, checks for credentials, and can publish content to an external service. That mismatch can mislead users about the true data access and outbound actions of the skill, increasing the chance of unintended disclosure of sensitive transcripts, file paths, or secrets-derived content.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill's documented behavior extends beyond generating a local blog file to publishing content online. Even though publication is presented as optional, it materially changes the security posture because sensitive transcript-derived content may be sent to a third-party platform and made public.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to inspect environment variables for publishing credentials and ask the user to provide missing values. This increases the risk of credential handling by a skill whose primary purpose appears to be content generation, and can normalize over-collection or accidental exposure of secrets in chat or logs.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
Generating a cover image, uploading it to a public URL, and then passing that URL into publication adds another external data flow not implied by the core transcript-to-blog purpose. This widens the attack and privacy surface by introducing third-party image generation/upload services and another public artifact tied to potentially sensitive work.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
This script does more than enumerate session files: it parses each transcript and emits the first and last user message text into the JSON output. Session transcripts can contain secrets, credentials, proprietary code, personal data, or sensitive prompts, so exposing raw snippets materially increases data leakage risk compared with a metadata-only session indexer. In this skill context, the risk is elevated because the tool is explicitly designed to read AI coding session transcripts and feed them into blog-generation workflows, which increases the chance that sensitive content is surfaced, propagated, or published.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script recursively enumerates multiple common directories under the user's home directory to infer project roots from Gemini's hashed session storage. That exceeds the minimum data access needed to list sessions for a named project and can disclose the existence and layout of unrelated local repositories and workspaces, especially when used inside a broader skill that generates narrative summaries from session data.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The fallback logic opens prior session files and inspects tool-call arguments to recover absolute file paths, effectively mining historical session contents for sensitive path information unrelated to the immediate request. Because tool arguments may include private source locations, workspace names, or other filesystem metadata, this creates a clear privacy boundary violation and expands access from session indexing into retrospective data extraction.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script goes beyond listing sessions and extracts the first and last user messages from transcript files, then emits that content in its JSON output. Because session transcripts can contain secrets, personal data, or sensitive prompts, this creates an unnecessary data exposure surface and can leak conversation content to downstream consumers that only expected metadata.

Ssd 3

Medium
Confidence
92% confidence
Finding
The guide explicitly frames the agent as having complete memory of full transcripts and instructs it to retell that material in a public-facing blog narrative. That creates a real data-leakage pathway because user prompts, decisions, mistakes, constraints, and other session details may be reproduced as natural-language output without a minimization or consent boundary.

Ssd 3

Medium
Confidence
97% confidence
Finding
This section repeatedly instructs the skill to mine transcripts for user intent, disagreements, debugging details, approvals, and long stretches of agent activity, then turn those into story content. Even if intended for harmless documentation, these extraction patterns materially increase the chance of exposing internal development history, confidential requirements, security discussions, or other sensitive context that would not normally be published.

Session Persistence

Medium
Category
Rogue Agent
Content
- builder's log
  - coding session blog
  - session summary
  - write about what I built
  - blog about a feature
  - write up our coding session
  - tutorial from sessions
Confidence
78% confidence
Finding
write about what I built - blog about a feature - write up our coding session - tutorial from sessions - publish a devlog description: >- Generate narrative blog posts from AI coding session

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal