ClawHub

Open Thoughts

Security checks across malware telemetry and agentic risk

Overview

This skill is an instruction-only journaling helper whose persistent notes and callback reminders are disclosed, but users should treat the saved exploration files as durable local memory.

Install this only if you want the agent to keep durable exploration notes in the workspace. Review or delete the `explorations/` files periodically, avoid sensitive topics or raw contact details unless necessary, narrow generic triggers if your host supports it, and require user review before any saved action item is used to message someone.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger list includes very generic phrases like "explore" and especially "think," which overlap with normal conversational language and can cause unintended invocation. In an agent environment, accidental activation is risky because this skill performs side effects such as writing persistent journal files and creating action items, potentially capturing user content or internal reasoning without clear user intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill advertises exploratory behavior but does not prominently warn that it persists content to journal and action-item files, including callback targets that may be names, emails, phone numbers, or agent IDs. This creates a transparency and consent problem: users or supervising systems may invoke it expecting ephemeral thinking, while the skill quietly stores potentially sensitive content and identifiers on disk.

Ssd 3

Medium
Confidence
90% confidence
Finding
The rule "Journal everything" encourages unconditional persistence of all exploration content, which can include sensitive user prompts, personal details, inferred preferences, or information encountered during research. Because entries are stored in plain-language markdown files, this increases the chance of long-term retention, unauthorized reuse, or later disclosure beyond the original context.

Ssd 3

Medium
Confidence
94% confidence
Finding
The callback workflow explicitly supports storing named people and contact identifiers in action items and later sharing findings with them. Even though the skill says cron sessions should not send messages, it still builds a queue of personal contacts and intended disclosures, creating privacy risk, possible misdelivery, and unreviewed propagation of research notes to third parties in later sessions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal