ClawHub

Agentnotes

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate AgentNotes logging skill, but it sends user-provided task details to an external service with weak privacy boundaries and a few unsafe operational behaviors.

Install only if you are comfortable sending sanitized task summaries to AgentNotes. Do not log secrets, tokens, personal data, chat transcripts, regulated data, or detailed stack traces. Review the install script before upgrading over an existing local copy, and avoid running the verification command in shared terminals or CI logs unless the API-key display behavior has been fixed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The script is described as only verifying connectivity, but it performs a real authenticated POST that creates a log entry. This mismatch can mislead operators into sending data or mutating production state when they expect a read-only test, which is a security-relevant unsafe side effect.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The skill encourages use after broad categories of activity such as cron jobs, channel replies, or multi-step sessions without any scoping guidance about sensitive content. In practice, this can cause operators or agents to send summaries of user interactions, failures, or internal workflow details to an external service more often than intended, increasing privacy and data exposure risk.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The 'When to log' section uses expansive triggers like after any user message, any cron completion, or any skill/tool chain finishes, but does not define exclusions or privacy boundaries. That ambiguity makes over-collection likely and can lead to systematic transmission of sensitive operational or user-derived data to AgentNotes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill description explains how to send task summaries, failures, and what happened to AgentNotes, but it does not clearly warn that this is an external transmission boundary. Without an explicit privacy warning, users may include sensitive business context, personal data, or error details in summaries under the mistaken assumption that this is local logging.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The installer unconditionally removes the existing destination directory with `rmSync(dest, { recursive: true, force: true })` before copying the new skill. If a user has local modifications, secrets, or other important files under that path, they will be deleted without warning or confirmation, causing irreversible data loss. In this installer context the behavior is not likely malicious, but it is still unsafe because it performs destructive file operations on a user-controlled workspace path.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This script sends arbitrary log messages and optional structured data to a remote service using an API key, but the file contains no safeguards, redaction, consent, or warnings about potentially sensitive content being transmitted. In the stated context—logging task outcomes after cron jobs, channel replies, or multi-step sessions—the message and JSON data may easily include secrets, user content, internal errors, or operational metadata, creating a real data-exposure risk if callers pass sensitive material.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script accepts user-supplied values such as summary, message, step, data, and error text from CLI arguments and transmits them directly to a remote AgentNotes service. In this skill context, those fields may contain operational details, chat content, task results, or error data, so sending them off-host without any disclosure, confirmation, redaction, or policy guard creates a real data-exposure risk, especially when used after multi-step sessions or channel replies.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script prints the first 12 characters of the API key to stdout, which exposes credential material in terminal history, CI logs, and shared observability systems. Even partial secret disclosure weakens secrecy, aids key correlation, and can materially increase the chance of credential compromise.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal