ClawHub

Flexible Database Design – SQLite flexible schema & knowledge base skill

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed SQLite knowledge-base builder with local scripts; it has real data-handling risks, but I did not find hidden, deceptive, or purpose-mismatched behavior.

Install only if you want an agent to help create and operate a local SQLite knowledge-base/archive. Before running examples, confirm the database path, keep generated databases and copied reports out of version control when sensitive, review any export destination, and only use FLEXIBLE_EXTRACTOR or --extractor with code you trust.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Dynamic import via __import__()

Medium
Category
Dangerous Code Execution
Content
return None
    mod_path, func_name = spec.rsplit(":", 1)
    try:
        mod = __import__(mod_path, fromlist=[func_name])
        return getattr(mod, func_name)
    except (ImportError, AttributeError) as e:
        logger.warning("抽取器加载失败 %s: %s", spec, e)
Confidence
93% confidence
Finding
mod = __import__(mod_path, fromlist=[func_name])

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
mod_path, func_name = spec.rsplit(":", 1)
    try:
        mod = __import__(mod_path, fromlist=[func_name])
        return getattr(mod, func_name)
    except (ImportError, AttributeError) as e:
        logger.warning("抽取器加载失败 %s: %s", spec, e)
        return None
Confidence
83% confidence
Finding
return getattr(mod, func_name)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The activation phrases are broad enough to match common, non-specialized requests like building a knowledge base or collecting scattered information, which can cause the skill to trigger in situations the user did not explicitly intend. In an agent environment with terminal access, unintended activation increases the chance the agent will steer toward file, database, or script operations that affect local data.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README presents write-capable commands for archiving, importing, exporting, updating, deleting, and restoring data as routine usage without prominent warnings that these operations modify or disclose data. In a skill designed for agents with terminal permissions, this can normalize destructive or privacy-impacting actions and make accidental execution more likely.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The invocation guidance is very broad, covering common requests like building a knowledge base, archiving reports, searching content, or collecting scattered information. That raises the chance the skill will trigger in loosely related contexts and steer the agent into file creation, schema design, and data ingestion workflows the user did not specifically request.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
These sections direct the agent to copy schema and scripts into the user's project, create a data directory, change database paths, and run commands, but they do not require an explicit warning or consent step first. Silent project modification is risky because it can alter repositories, overwrite files, or introduce code into environments where the user only asked for advice.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill recommends copying PDFs into the project and extracting/storing their contents, but it gives no privacy, retention, or sensitive-data warning. This is dangerous because documents may contain confidential or regulated information, and duplicating them plus extracted text expands exposure, persistence, and accidental check-in risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal