ClawHub

个人知识库

Security checks across malware telemetry and agentic risk

Overview

This is a coherent personal knowledge-base skill, but it deserves review because imported document text and questions can be sent to ZhipuAI and deletion/update actions can permanently remove stored files.

Install only if you are comfortable sending imported document text, retrieved excerpts, and questions to ZhipuAI for embeddings and answers. Avoid importing confidential, regulated, or proprietary files unless that data flow is acceptable; use an environment variable rather than config.txt for the API key; and double-check knowledge-base and file names before update or delete operations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The code sends user prompts and retrieved knowledge-base context to ZhipuAI's external chat completion API. Although this supports the advertised RAG/Q&A functionality, the skill description does not clearly disclose that document contents and queries leave the local environment, creating a real data disclosure risk for personal knowledge-base content.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
During ingestion, document chunks are uploaded to ZhipuAI's embedding API to generate vectors. For a personal knowledge-base skill, this can expose potentially sensitive file contents to a third party if users believe processing is local-only or are not clearly warned.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README explicitly states that retrieved document content and user questions are sent to external AI services for embeddings and answer generation, but it does not warn users that potentially sensitive knowledge-base contents may leave the local environment. In a personal knowledge base skill, users are likely to store private notes, work documents, or proprietary files, so omission of a clear privacy notice can lead to unintended disclosure to third-party providers.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The update flow deletes the existing source file and its vectorized content before replacing it, but the documentation does not warn users about destructive behavior or failure scenarios. If the replacement step fails or the wrong file is targeted, data may be lost or the knowledge base may become inconsistent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill documents permanent deletion of both vector entries and original source files without clearly warning about irreversible data loss. In a knowledge-base management context, this creates a real risk of accidental or induced deletion of valuable user documents.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The answer-generation path packages retrieved document content together with the user's question and sends it to an external LLM without a clear warning or consent check at the point of transmission. This increases the risk of unintentional disclosure of sensitive passages from the knowledge base during normal query use.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The ingestion flow transmits document chunks to an external embedding service without a user-facing warning at the time files are added. In a personal knowledge-base context, users may upload private notes or documents, so undisclosed third-party transmission is a meaningful confidentiality issue.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal