ClawHub

Privacy Protector

Security checks across malware telemetry and agentic risk

Overview

This is a coherent privacy/redaction skill, but users should know that only lite mode is local and other anonymization modes send content to an API.

Install only if you are comfortable with the documented data flow. Use --level lite for local-only processing, avoid non-lite modes for regulated or confidential data unless the Modeio API is approved for that data, and remember that restore maps contain original sensitive values on disk.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill exposes capabilities including environment access, file read/write, shell execution, and optional network use, but does not declare permissions or clearly bound those operations in metadata. In a privacy-focused skill that handles sensitive PII and redact maps, this lack of explicit permission declaration weakens reviewability and can lead users to run a tool with broader access than expected.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The skill is presented primarily as a local/offline privacy tool, but the runtime notes disclose that several anonymization levels send content to a backend API, including potentially sensitive text/files and jurisdiction metadata. This mismatch is dangerous because users may supply regulated or confidential PII under the assumption processing is local, causing unintended data exfiltration and compliance violations.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The file docstring states that only `lite` is local and that other levels call a remote Modeio API, while the skill metadata/description emphasizes offline and local anonymization. That mismatch can cause users to submit sensitive raw input under a false assumption of local-only processing, resulting in unintended disclosure of PII to a third party.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The API destination is taken from the `ANONYMIZE_API_URL` environment variable with no allowlist or trust validation. Any party able to influence the environment can redirect raw input and mapping data to an arbitrary endpoint, turning this anonymization tool into a data exfiltration path for highly sensitive content.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The file explicitly instantiates a RemoteApiProvider and the provider-selection logic sends content to it whenever the level is not "lite". In a skill marketed as privacy-protecting, local/offline anonymization, this creates a significant trust-boundary violation because sensitive input may leave the local environment and be transmitted to a remote service contrary to user expectations.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The RedactionProviderPipeline.run method chooses the remote provider for any level other than "lite", so ordinary configuration changes can silently route potentially sensitive text to an external API. Given the skill context emphasizes privacy protection and offline detector tuning, this mismatch is dangerous because it broadens data exposure beyond the advertised local-processing model.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This package explicitly exports a RemoteApiProvider, which indicates the skill supports sending data to a remote service. That conflicts with the skill context emphasizing local/offline privacy protection, and in a PII anonymization tool this mismatch is security-relevant because sensitive input may be transmitted off-device unexpectedly. Even if the remote path is optional, exposing it at the package level increases the chance of accidental or undisclosed use.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The provider explicitly forwards raw `content` to an external API callable, which conflicts with the skill's stated local/offline privacy-preserving behavior. In a privacy/redaction skill, this mismatch is dangerous because sensitive PII may leave the local environment unexpectedly, undermining user trust, compliance expectations, and confidentiality guarantees.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The tests explicitly exercise API-backed anonymization modes ('dynamic' and 'crossborder') even though the skill metadata emphasizes local/offline processing. This capability mismatch can mislead users into sending sensitive data to remote services under the assumption processing is local, creating privacy, compliance, and data-transfer risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
At execution time, the CLI accepts input and determines mode, but it does not present an explicit warning or consent gate before non-`lite` modes transmit raw content to the remote provider. In a privacy-focused skill, this increases the likelihood of accidental disclosure of confidential text or files because users may reasonably expect anonymization to happen locally first.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This code passes user-supplied content to a remote anonymization callable without any visible warning, consent flow, or policy check at the point of transmission. For a tool handling PII, silent remote processing increases the risk of unauthorized data disclosure, regulatory violations, and accidental exposure of highly sensitive text or file contents.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal