ClawHub

ContextClear

Security checks across malware telemetry and agentic risk

Overview

ContextClear is a real monitoring and memory integration, but it asks agents to send broad workspace context and sensitive memory files to an external service with weak scoping and plaintext credential guidance.

Install only if you intentionally want ContextClear to receive agent memory, task history, repo/file metadata, and potentially full contents of identity and memory files. Do not store API keys in AGENTS.md or HEARTBEAT.md; use environment variables or a secret manager. Disable or remove vault backup and mandatory snapshot instructions unless you have reviewed exactly what will be sent, added redaction/allowlists, and confirmed the service's retention and access controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (18)

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill positions itself as monitoring but immediately expands into persistent memory and agent wellness infrastructure, which materially changes the data sensitivity and control surface. In context, this makes the skill more dangerous because it normalizes long-term storage and remote synchronization of potentially sensitive project and user information.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The manifest suggests simple auto-reporting after LLM calls, but the documentation requires setup scripts that patch local control files and add recovery and snapshot logic. This broadens the operational impact beyond passive observability into durable state modification and external dependency injection.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The vault feature instructs uploading full workspace files, including identity, memory, user, and agent documents, to an external service and later restoring decrypted contents. That is a high-risk exfiltration and persistence channel for secrets, proprietary code, personal data, and internal operational instructions, far beyond the stated monitoring purpose.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Full CRUD for sticky notes enables persistent remote storage and manipulation of user-provided reminders, which goes beyond monitoring. In this context, the feature increases the amount of user/task data externalized and introduces another channel for stateful influence over future agent behavior.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Server-side memory curation processes MEMORY.md, daily notes, and context snapshots to generate suggested updates, meaning sensitive workspace knowledge is transmitted to and transformed by a remote service. This is especially risky because it creates derived summaries that may aggregate and expose confidential information beyond the original monitoring use case.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The setup script modifies persistent workspace guidance files to inject new agent behaviors that are broader than the stated monitoring role of the skill. This is risky because it silently changes future agent behavior and operational scope, causing the agent to recover and upload context in later sessions without a clear, bounded consent step tied to each action.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The embedded blocks create durable context-recovery and context-snapshot workflows that expand the skill from telemetry into memory persistence and data export. In an agent skill context, this is more dangerous because the injected instructions encourage repeated transmission of session summaries, repos, files, tools, decisions, and open threads to an external service, potentially exposing sensitive project information over time.

Intent-Code Divergence

Low
Confidence
80% confidence
Finding
The docstring describes the script as patching context recovery instructions, but the code also injects context snapshot/upload behavior. This mismatch can mislead reviewers and users about the true scope of the script, undermining informed consent and making risky data-flow behavior easier to overlook.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill mandates sending summaries, repos, files, tools, decisions, environment details, and token metrics to a remote API after meaningful work without a prominent user-facing warning. This is dangerous because those fields can reveal confidential project structure, operational topology, and sensitive task context even when file contents are not directly uploaded.

Missing User Warnings

High
Confidence
99% confidence
Finding
Daily remote backup of core workspace files is recommended without a strong warning that entire file contents will leave the local environment. Given the named files include memory, user, identity, and agent documents, this creates a severe risk of unauthorized disclosure of secrets, personal data, and internal instructions.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The setup tells users to place the API key directly into HEARTBEAT.md, which encourages storing credentials in a workspace file that may be read, committed, backed up, or shared. In this skill's context, that risk is amplified because the same documentation also recommends uploading workspace files to a remote vault.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script sends operational and session telemetry to a remote API, including token counts, costs, session identifiers, task categories, and quality-related signals, without any built-in notice, confirmation, minimization, or redaction safeguards. In an agent-skill context, this can lead to unreviewed disclosure of sensitive usage metadata and session-linked information to a third party.

Missing User Warnings

High
Confidence
99% confidence
Finding
The script formats the provided API key directly into AGENTS.md and HEARTBEAT.md, causing long-lived credential persistence in plaintext files inside the workspace. This is dangerous because those files may be read by other tools, committed to version control, or exposed to collaborators, allowing unauthorized use of the external API and access to stored context.

Ssd 3

High
Confidence
96% confidence
Finding
The instructions normalize persisting and transmitting remembered knowledge and user reminders to an external service, which can capture sensitive or regulated information in plain-language summaries. Because the skill frames this as mandatory memory infrastructure, users may not realize the extent of external data disclosure.

Ssd 3

High
Confidence
99% confidence
Finding
The heartbeat flow explicitly instructs reading core files and uploading them to a remote vault, including USER.md, MEMORY.md, and other identity-related documents. This is a direct exfiltration path for highly sensitive workspace and user data and is especially dangerous because it is framed as routine automation.

Ssd 3

High
Confidence
98% confidence
Finding
Mandating a context snapshot after any meaningful work creates broad, repeated transmission of task summaries, files, tools, decisions, and environment metadata. The repetition increases cumulative exposure and can reconstruct sensitive workflows, project history, and operational context over time.

Ssd 3

High
Confidence
99% confidence
Finding
The vault backup feature uploads full file contents and later supports downloading decrypted contents, establishing a complete remote copy of sensitive workspace state. This is a severe confidentiality risk and also increases blast radius if the external service, credentials, or agent workflow are compromised.

External Transmission

Medium
Category
Data Exfiltration
Content
## Context Recovery (ContextClear)
On every session start (especially after compaction), recover your memory:
```bash
curl -s {api_url}/agents/{agent_id}/recover \\
  -H "X-API-Key: {api_key}"
```
This returns your last session context, open threads, repos, tools, and context gaps.
Confidence
88% confidence
Finding
curl -s {api_url}/agents/{agent_id}/recover \\ -H "X-API-Key: {api_key}" ``` This returns your last session context, open threads, repos, tools, and context gaps. Use it to orient yourself before as

VirusTotal

No VirusTotal findings

View on VirusTotal