ClawHub

总结

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed memory-summarization skill, but users should review saved notes so secrets or sensitive logs are not persisted.

Install this only if you want the agent to create and update durable memory notes. Review entries before saving, redact secrets and sensitive logs, and reserve P0/L0 memories for rules or preferences you intentionally want reused in future sessions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly directs the agent to persist summaries, troubleshooting details, and other session content into a memory system and specific files, but it provides no guardrails to detect or exclude sensitive data before storage. In practice, incident writeups and debugging summaries often contain secrets, internal endpoints, personal data, or proprietary operational details, so automatic persistence can create long-lived data exposure and retention risks.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The template specifically encourages storing logs, commands, and links, which are common carriers for credentials, access tokens, session identifiers, internal hostnames, and sensitive file paths. Because the skill provides no instruction to scrub or minimize these artifacts, it increases the chance that secrets or sensitive infrastructure details will be copied into durable memory files.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal